Posted by "bruce" on 06/15/86 11:31

if you really want to get into a conversation about security... it might be
time to try to figure out how to create a security app/process which could
be used to validate that an app is secure. the process could be a function
of an automated app that looks/inspects code, as well as a manual process
that inspects different portions of the app's logic/structure.

there are a number of commercial code analyzers, although i don't know of
any off the top of my head for php/web source based apps...

might be time to seriously look at creating such an app/service.. there
would probably be funding for this kind of app...

ps.. this kind of app would not be trivial to create!!!

-bruce

-----Original Message-----
From: Chris Shiflett [mailto:shiflett@php.net]
Sent: Tuesday, November 08, 2005 12:08 PM
To: Gustavo Narea
Cc: php-general@lists.php.net
Subject: Re: [PHP] Re: Security Issues - Where to look?


Gustavo Narea wrote:
> By the way, I liked the link that Pablo suggested:
> http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/

Be careful. There is a lot of misinformation out there regarding PHP
security, and this article is a good example.

Here's something that caught my eye:

"The second solution is to only store their username and password in a
cookie, and with every call to the script, validate the username and
password and verify if the user is an administrator."

If the problem is how to expose a user's sensitive data as much as
possible, then this is a solution. However, I doubt that's the intent.
This is such a common mistake that it is something I specifically search
for when auditing a PHP application, as I mention in this talk:

http://brainbulb.com/talks/php-security-audit-howto.pdf

The PHP Security Consortium is trying to resolve this problem of
misinformation in a positive way (we don't want to disparage people's
hard work and spread bad vibes). We've created a library of links to
approved resources that we've read through to make sure the advice given
is sound. You can find this library here:

http://phpsec.org/library/

Hope that helps.

Chris

--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

• Next in forum: Use of auto_prepend_file inside an Apache directory container
• Prev in forum: Re: [PHP] Re: Security Issues - Where to look?
• Thread view: RE: [PHP] Re: Security Issues - Where to look?

[Reply to this message]