About the Author

Chris Shiflett

Hi, I’m Chris: web craftsman, community leader, husband, father, and partner at Fictive Kin.


PHP Security Consortium Redux

The launch of the PHP Security Consortium was a big success. It required more work than I expected to get things going, but I think we're now set to make some very positive contributions to the community.

In addition to being mentioned on PHP.net, Zend.com, and Slashdot.org, eWeek published a story about the group's purpose and future direction. Although the story misses a few important points - our formation was not triggered by the Santy worm, and I made no mention of offering security audits - the overall characterization of the PHPSC is pretty accurate.

There are a few notable blogs that mention the event. Jamie Lewis, the CEO of Burton Group, writes:

Given the popularity of PHP, this sounds like a good idea. (Richard Monson-Haefel has been doing some great research for us on how and where enterprises are using the "P" scripting languages, and it's pretty amazing. We'll be publishing that report in a month or so.) Hopefully the group's efforts will lead to better programming practices, the root of many application vulnerabilities.

Richard Monson-Haefel, whom Jamie references, has been in touch with me regarding his report. Although the report and his interest in my counsel were unrelated to the formation of the PHP Security Consortium, he initially expressed some of the misconceptions I hope to help dispel.

Dana Epps, a recognized security expert, writes:

This is a positive move for the language. Lets hope the effort to educate the PHP community causes a rippling effect and promote the fixing of many of the problems that exist in the tools and technologies that reside there today.

Congratulations to the PHPSC, and good luck.

It's nice to see so much attention coming from outside of the PHP community. As Dana mentions, she is not a fan of PHP. Those within the PHP community know that PHP's poor reputation is undeserved. While the focus of our group is not advocacy, we can potentially have a positive effect on the general perception of PHP and security.

Of course, there was some attention given within the PHP community as well. John Lim writes:

The recently formed PHP Security Consortium has an excellent set of links to PHP security articles. The session management articles by Chris Shiflett are excellent. They discuss how session stealing can occur, and the different techniques you can use to minimize the risk.

I appreciate John's kind words, and it's nice to see that these articles are helpful. I have plans to enhance and grow our library, so that it contains links to many approved PHP security resources. The idea is that we will try to endorse quality documentation, regardless of where it is hosted. For resources that already have a home, we will provide a link in our library. For everything else, we will provide a home in the articles section.

Thanks to everyone who supports the PHPSC. I promise to work hard at promoting secure programming practices within our community.

About this post

PHP Security Consortium Redux was posted on Thu, 03 Feb 2005. If you liked it, follow me on Twitter or share:

3 comments

1.verbat said:

well, it is a nice thing to see, educating people to security. But as many pointed out, you should fix the article about captcha, where you have an obvious race condition. Not the best way to educate :)

Fri, 04 Feb 2005 at 09:50:13 GMT Link


2.Chris Shiflett said:

There is no race condition in the article. You can certainly implement one, if you like. While it won't be a security vulnerability, it can possibly adversely affect your legitimate users under load.

I think the article is sufficiently vague in terms of the implementation details (and these will vary drastically according to the site's performance requirements).

Fri, 04 Feb 2005 at 17:25:39 GMT Link


3.Ed Finkler said:

We're very happy to see the formation of the PHPSC. Hope you get some traffic from our reposting of the press release.

Good luck!

Fri, 04 Feb 2005 at 22:21:12 GMT Link


Hello! What’s your name?

Want to comment? Please connect with Twitter to join the discussion.