Ed Finkler Talks About PHPSecInfo

      1 Comment on Ed Finkler Talks About PHPSecInfo

p. ! **So one of the target audiences then would be people running web sites in a shared hosting environment?**
Yes that is one of the target audiences. Will it only be useful to that audience, no. I think it is going to have a much larger audience. I wanted to make something that was going to have an impact on the majority of PHP installations out there. The goal is to make people aware of the problems so they can fix them.

p. One of the other self-imposed restrictions I placed on the design was I wanted it to be easy to use. You don’t have to instantiate an object and then call a method or anything. I wanted it to be a simple static function that you can and it outputs the results.

p. So that was the basic idea. I kicked it around for a while and I had several people who were interested in it as a concept so I decided I would have to sit down and actually write it. So a couple of months before OSCON I actually wrote the framework for it. I wrote the API for the tests and everything. I shared it with the folks on the PHP Security Consortium mailing list to get some feedback on it. A couple of people have contributed tests to the project, I think Paul Reinheimer
wrote a couple of them.

p. At OSCON I showed it to a couple of people and got really good feedback on it. People seemed to be really into it; so that was very encouraging. From there I kept in touch with a couple of people I met at OSCON. I even received a test from a member of the Portland PHP Users Group. Basically it all started to come together.

p. I’ve been in a holding pattern for a little bit as I got everything together for an official launch. Of course I’ve been busy with other things too. Bow that it’s officially out though I’m hoping for some good feedback on how we can make it better. I’m also hoping that the PHP community at large will get involved with the project and help me with tasks like finding bugs and writing new tests.

p. **Ok, interesting. Now you are a member of the PHP Security Consortium. Is this an official phpsec.org project?**
Yes. This project moved through the approval process at phpsec.org and was voted on and it is now an official project of the Consortium.

p. **You mentioned earlier that the system is modular in design, are you hoping that others will contribute new tests?**
Yes, you can download the source and look at it, it’s not encrypted or anything. It’s a pretty simple API and it’s easy to write tests for it. We package the generated documentation with it. Between that and the source code, it should be easy to write your own tests. We encourage everybody using the code to write their own tests to meet their own needs. We [Ed. The phpsec.org principals] are also open to proposals for tests to be included in the official distribution.

p. Thank you for you time Ed and thank you for this very cool new tool. I look forward to future releases and new tests that people will be writing.

p. Here are a few links if you are interested in learning more:

“http://phpsec.org/projects/phpsecinfo/”:http://phpsec.org/projects/phpsecinfo/
“http://phpsec.org”:http://phpsec.org
“http://www.cerias.purdue.edu”:http://www.cerias.purdue.edu
“http://funkatron.com/wp/”:http://funkatron.com/wp/

p. =C=