Saturday, December 13, 2008

Securing the PHP Environment by PHPSecInfo

Fact 1
  • PHP is very, very popular
  • Nearly impossible to find a hosting service that doesn’t support PHP in some form
  • About 34% of all domains report using PHP
  • PHP is very easy to learn
  • PHP provides results quickly ,Time between setup and seeing results is very short
Fact 2
PHP powers many busy, high-profile sites
  1. Wikipedia
  2. Facebook
  3. Wordpress.com
  4. Digg
  5. Flickr
  6. Yahoo!
Fact 3 Tells Us
Network Administrator Responsible for

a) Directly responsible for PHP environment security
b) Tendency to lower security of environment to reduce application compatibility complaints

PHP Developer Responsible for


• The PHP Developer Must be aware of the environment and how it impacts app
development
• Will write apps assuming certain features are enabled, despite
security risks

What is PHPSecInfo ?

A security auditing tool accessible to the “Deployer”
1. Compatible
Support PHP4 (63%) and PHP5 (37%)
2. Easy to install
Unzip and Upload
3. Easy to execute (little or no config)
Runs upon upload; single function call
4. Easy to understand
Clear, unambiguous results; color coding
5. Encourage further exploration
Offer extended explanations with links to more info





Test Suite



















1. 17 tests for commonly exploited security
2. vulnerabilities in PHP environment
3. Each test result shows:
  • Current Setting
  • Recommended Setting
  • Result (color-coded)
  • Explanation
  • Link to further info
4. Simple metrics output

More info. Available on -
  • phpsecinfo.com
  • phpsecinfo.googlecode.com
  • phpsec.org
  • cerias.purdue.edu
  • framework.zend.com

No comments:

Post a Comment