Federico Biancuzzi has published an interesting article at securityfocus.com in which he interviews Stefan Esser. The list of topics they discuss is wide ranging. Here’s the opening paragraph that will give you a little taste.
Stefan Esser is the founder of both the Hardened-PHP Project and the PHP Security Response Team (which he recently left). Federico Biancuzzi discussed with him how the PHP Security Response Team works, why he resigned from it, what features he plans to add to his own hardening patch, the interaction between Apache and PHP, the upcoming “Month of PHP bugs” initiative, and common mistakes in the design of well-known applications such as WordPress.
The three page interview is well written and if you skip over the more self-aggrandizing comments, there are some interesting nuggets of truth to be mined. For instance, when discussing the up coming “Month of PHP Bugs”, Stephan has this to say.
For some of the reported bug classes like SQL injection and XSS, this is quite unfair, because those can happen in any language. But Remote File Inclusions, vulnerabilities due to register_globals or other problems within the PHP engine (e.g. zend_hash_del_key_or_index bug) are fully to blame on the PHP language.
Which is a reasonable statement and one of the nuggets of truth in the article. However, he immediately follows it up with this statement.
Unfortunately this kind of thinking is not appreciated by the PHP developers and they continue to claim that PHP is not worse than other languages, and that only badly written PHP applications are the problem.
Statements like the latter make the article an interesting and sometimes funny (depending on your point of view) read.
There is no question in anyone’s mind that security in the PHP core is important. There is an ongoing debate however as to how it should be dealt with. In this article, Stefan makes his side known.
Speaking of the Month of PHP bugs, that’s slated for March. Stefan will release a new security bug each day. In his blog, Ilia Alshanetsky, the release manger for PHP 5 had this to say about MOPB.
...I have to look at this as a free security audit of PHP by someone with a clue about security and ultimately, in the long run it will only make PHP better, even if March is going to be rather busy.
=C=
Comments (Login to leave comments)