PHP Security Consortium

Published in PHP Architect on 15 Feb 2005

This is a brief story about how the PHP Security Consortium came to be.

PHP Security Experiments

In October 2004, I was conducting a series of experiments to test some new theories regarding the insecurity of modern web apps. There was also a personal curiosity factor; I wanted to see whether my efforts to educate the community were doing any good. I had been heavily devoted to PHP security education for more than two years by this point.

I was very discouraged by the results. It’s not that my experiments were a failure; on the contrary, they were more successful than I had hoped. Whereas some of the practices I try to teach people are a bit advanced in order to thwart advanced attacks, many of them are trivial to implement and can prevent a large number of vulnerabilities. Almost nowhere did I find any of these practices being employed, even in very popular apps and web sites. When you invest a lot of sincere effort into educating people about security, it’s discouraging to feel like all of your work has been in vain.

I am constantly refining my approach — the practices that I recommend as well as the manner in which I recommend them. For example, although I am a firm believer in the security benefits of defense in depth, I have been trying to reduce my recommendations to the most effective measures. When my description of a particular practice is very thorough, I try to recap with a "least you can do" summary. Frequent readers should be familiar with this approach.

Clearly, my efforts were not enough. In addition, I possessed very dangerous information at this point. I had developed, in theory, a type of web attack that could spread itself like a worm. Because I was too busy to properly deal with the situation alone, I decided to mention my experimentation in my blog and solicit some help.

The response was tremendous. Because I only wanted a few volunteers and didn't want to repeat my early mistakes with PHPCommunity.org (where I had several hundred volunteers but very little actual work to be done, resulting in deadlock), I selected a few people to help and politely refused everyone else. My selections were pretty arbitrary, of course, but I did base my decisions in part on how much each person had contributed to the PHP community.

I didn't realize that the people in the group were going to be charter members of the PHP Security Consortium, but it turned out to be an excellent and diverse group of smart people who were eager to help improve the state of security within the PHP community.

Naming the Group

With this group established and an open channel of communication in the form of a mailing list, we began to discuss possible projects that would benefit the community. I mentioned a large list of PEAR modules that I've been meaning to write, we considered posting a quiz on a web site somewhere to gauge the weak points within the community, and we discussed the possibility of speaking at conferences and user groups.

PHP Quebec's call for papers was still open at this point, so I encouraged Ben Ramsey to submit a proposal about our work. In order to have something to call the group in his proposal, we needed a name. PHP Security Consortium was mentioned, and although some early criticism was that it was a "big name for a small group," we decided that it had positive vibes and would give us something to grow into. Of course, we also weren't interested in investing much time in something as trivial as naming the group, so we chose something and moved on.

Projects

By this time, we had a substantial and growing list of possible projects. The one I chose to champion was the adoption of my PHP Security Workbook (as well as renaming it to PHP Security Guide, since I never got around to making it a real workbook). This seemed like a good resource to provide, and it was already available. At the very least, it provided a foundation from which to build a pretty complete guide to help get people up to speed on PHP security.

Ivan Ristic commissioned Peter Jovanovich to design a web site, so that we would have somewhere to publish the guide, information about the group, and any other useful resources that we would create in the future. (Peter is the designer who won the PHPCommunity.org logo contest last year.)

Ivan is also the author of Apache's mod_security, among other things, and he keeps a library of web app security resources at the ModSecurity web site. A few of these are specific to PHP, and we decided that it would be good to provide a similar repository of links on the PHPSC web site. There are already plans to extend and improve upon this idea.

Articles

One problem that I identified long ago is that there is a substantial and growing amount of misinformation available on the Web. When someone writes about PHP security, the publisher generally doesn't know whether the information is accurate. Unfortunately, many budding PHP developers learn from flawed articles and apply weak security practices, gaining a false sense of security. By my own meager estimates, I would guess that at least half of the articles I have read on the topic of PHP security are flawed. This is not a small problem.

Our solution is twofold: we link to approved resources within our library and we publish approved articles on our web site. This solution sufficiently promotes quality documentation regardless of whether the author already offers it on the web, and it provides the PHP community with trustworthy information.

Thankfully, Marcus Whitney wrote an article on using Text_CAPTCHA in order to give us an article to publish in time for the launch of the web site, and I’ve already received a few good articles from various members of the community.

Where Are We Now?

As I write this, we have just launched our web site, and it was a very successful day. We received major press from all over — PHP.net, Zend.com, Slashdot.org, and eWeek.com to name a few. The response was very positive, and all of the attention has two benefits: our efforts reach more people, which is always good, and our practices get analyzed by experts from all over the world. I have already received several emails claiming to have found a flaw in the Text_CAPTCHA article or the PHP Security Guide. While none of these reports have been accurate, it's nice to know that this documentation is being heavily scrutinized. I greatly appreciate all of these attempts to find the slightest of flaws in our documentation.

I have received email from many volunteers offering to translate the PHP Security Guide into different languages, so that is something else to look forward to.

We are using DocBook Lite as our official documentation format. This is a very simple XML format that makes it very easy to markup technical documentation. We also accept documentation in plain text, so that the format doesn’t exclude any useful resources. DocBook Lite lets us conveniently and accurately convert the original document to HTML, PDF, and a number of other formats.

Where Are We Going?

Most of the projects on our list were set aside as we focused on the group itself. We focused our efforts on the launch of the web site, the creation of our policies and charter, and the PHP Security Guide. Now that we have launched, we can once again resume our initial plans.

The experimentation that led to all of this will certainly continue. We hope to help push the envelope with regard to new discoveries in web app security, and we will post case studies in cases where we think it can have positive educational benefits.

We also plan to focus heavily on the resources that we provide (articles) as well as those that we link to (library). With an accurate and substantial collection of PHP security resources, we think we can make a positive impact.

Of course, the PHP Security Guide will continue to improve. Because it still represents the curriculum of my O’Reilly Open Source Convention tutorial, PHP Security, it only contains those topics that I chose to cover in a three hour period. The next version of the guide will be slightly expanded, and we will continue to refine our practices as well as the method in which we explain those practices.

Until Next Time…

I think the formation of the PHP Security Consortium is a significant event, and I hope we can help improve the state of web application security within the PHP community. Our efforts may be the topic of a future Security Corner — perhaps we will develop a useful tool, reveal a new type of security vulnerability, or create a new practice that can help you increase the security of your PHP applications.

Whatever the future holds for the PHP Security Consortium, you can be sure I’ll keep you informed.

Until next month, be safe.