- PHP is very, very popular
- Nearly impossible to find a hosting service that doesn’t support PHP in some form
- About 34% of all domains report using PHP
- PHP is very easy to learn
- PHP provides results quickly ,Time between setup and seeing results is very short
PHP powers many busy, high-profile sites
- Wikipedia
- Wordpress.com
- Digg
- Flickr
- Yahoo!
Network Administrator Responsible for
a) Directly responsible for PHP environment security
b) Tendency to lower security of environment to reduce application compatibility complaints
PHP Developer Responsible for
• The PHP Developer Must be aware of the environment and how it impacts app
development
• Will write apps assuming certain features are enabled, despite
security risks
What is PHPSecInfo ?
A security auditing tool accessible to the “Deployer”
1. Compatible
Support PHP4 (63%) and PHP5 (37%)
2. Easy to install
Unzip and Upload
3. Easy to execute (little or no config)
Runs upon upload; single function call
4. Easy to understand
Clear, unambiguous results; color coding
5. Encourage further exploration
Offer extended explanations with links to more info
Test Suite
1. 17 tests for commonly exploited security
2. vulnerabilities in PHP environment
3. Each test result shows:
- Current Setting
- Recommended Setting
- Result (color-coded)
- Explanation
- Link to further info
More info. Available on -
- phpsecinfo.com
- phpsecinfo.googlecode.com
- phpsec.org
- cerias.purdue.edu
- framework.zend.com
No comments:
Post a Comment