Ed Finkler Talks About PHPSecInfo
Recently the PHP Security Consortium released their latest project phpsecinfo. Phpsecinfo was conceived and written by Ed Finkler who works at CERIAS, the Center for Education and Research in Information Assurance and Security at Purdue University. Intrigued as much by this project, as I was by the fact that Ed wrote me and told me it was time for me to interview him, I called Ed and we talked about the project.
So, Ed, I’ve installed your new tool, PHPSecInfo, on my server and I can see now that there are some problems with my server. I guess the first question that comes to my mind is “Why did you build this?”
I built it because there was no good way to audit the security settings in your PHP.INI or your PHP environment. The average PHP user I feel is someone who can use an installer to install scripts on their server, get them running and do a little customization or hack up some code but they are not educated developers. These users have no easy way to check how secure their environment is. So I wrote PHPSecInfo to give these uses something easy to run and present the information in a format they are already familiar with.
One of the self-imposed restrictions that went into the development was that I chose to make it look like the output of phpinfo(). phpinfo()’s output is something very familiar to a majority of people who work with PHP. However, we were very careful on the output of the tests. We tried not to say this is “absolutely” wrong and you need to change it. You know as well as I do that sometimes you have a non-standard setup. If you know about the non-standard issue and are careful with it, it won’t be a problem. So we will flag something as potentially dangerous but we stop short of saying its wrong. We don’t want to make assumptions about people’s setup but we do want to raise awareness of potential problems.
So one of the target audiences then would be people running web sites in a shared hosting environment?
Yes that is one of the target audiences. Will it only be useful to that audience, no. I think it is going to have a much larger audience. I wanted to make something that was going to have an impact on the majority of PHP installations out there. The goal is to make people aware of the problems so they can fix them.
One of the other self-imposed restrictions I placed on the design was I wanted it to be easy to use. You don’t have to instantiate an object and then call a method or anything. I wanted it to be a simple static function that you can and it outputs the results.
So that was the basic idea. I kicked it around for a while and I had several people who were interested in it as a concept so I decided I would have to sit down and actually write it. So a couple of months before OSCON I actually wrote the framework for it. I wrote the API for the tests and everything. I shared it with the folks on the PHP Security Consortium mailing list to get some feedback on it. A couple of people have contributed tests to the project, I think Paul Reinheimer wrote a couple of them.
At OSCON I showed it to a couple of people and got really good feedback on it. People seemed to be really into it; so that was very encouraging. From there I kept in touch with a couple of people I met at OSCON. I even received a test from a member of the Portland PHP Users Group. Basically it all started to come together.
I’ve been in a holding pattern for a little bit as I got everything together for an official launch. Of course I’ve been busy with other things too. Bow that it’s officially out though I’m hoping for some good feedback on how we can make it better. I’m also hoping that the PHP community at large will get involved with the project and help me with tasks like finding bugs and writing new tests.
Ok, interesting. Now you are a member of the PHP Security Consortium. Is this an official phpsec.org project?
Yes. This project moved through the approval process at phpsec.org and was voted on and it is now an official project of the Consortium.
You mentioned earlier that the system is modular in design, are you hoping that others will contribute new tests?
Yes, you can download the source and look at it, it’s not encrypted or anything. It’s a pretty simple API and it’s easy to write tests for it. We package the generated documentation with it. Between that and the source code, it should be easy to write your own tests. We encourage everybody using the code to write their own tests to meet their own needs. We [Ed. The phpsec.org principals] are also open to proposals for tests to be included in the official distribution.
Thank you for you time Ed and thank you for this very cool new tool. I look forward to future releases and new tests that people will be writing.
Here are a few links if you are interested in learning more:
http://phpsec.org/projects/phpsecinfo/
http://phpsec.org
http://www.cerias.purdue.edu
http://funkatron.com/wp/
=C=
Comments