PHP Security Tip #13
Security is a mindset, not just something you do. It colors your application design as well as your coding. However, you also need to constantly monitor your production environment. That’s where selecting the right tool comes into play. I know I’ve mentioned PHPSecInfo before but I think this tool is important enough to warrant it’s own post.
PHPSecInfo is a great tool to use to keep an eye on your production environment. It was written by Ed Finkler of CERIAS, the Center for Education and Research in Information Assurance and Security at Purdue University. It is officially a project of the PHP Security Consortium. Here’s what the PHPSecInfo homepage has to say about itself.
PHPSecInfo provides an equivalent to the phpinfo() function that reports security information about the PHP environment, and offers suggestions for improvement. It is not a replacement for secure development techniques, and does not do any kind of code or app auditing, but can be a useful tool in a multilayered security approach.
If you need more info, here’s the link to a short interview with Ed talking about PHPSecInfo. Here is another link to the latest release notice for version 0.2.
As with all security measures, by itself it’s not the silver bullet. Used properly though, it can be part of a comprehensive solution.
=C=
Comments
FWIW, I think "false positive" isn't quite the right term for any result PHPSecInfo returns. They aren't absolute final words, but (sometimes strong) recommendations to make sure a particular aspect of your environment is secure.
@breich: we could absolutely use help getting that test to be relevant on Windows. Sign up for the mailing list and introduce yourself!
I will get back to you on this when I get home from work. As far as I know there's really no way to detect if suPHP is in use from the PHP environment but I could be mistaken on that.