Skip to main content

The challenge for 2019 has just got real

PHPSecDev

I am a regular listener to the Security Weekly Podcasts Network, that includes Hack Naked News, Business Security Weekly, Enterprise Security Weekly, Secure Digital Life and Application Security Weekly. I really love their shows and over the years I've been listening to them, I learned a lot about business leadership, communication and security. If you're in tech, I can highly recommend listening to their podcasts. And since I'm always on the go, these are great shows to listen to while driving around.

But… and here it comes: for some reason they have a love-hate relationship with PHP, where their disliking of the technology is omnipresent in their shows. Particularly in their Application Security Weekly they love to pick on PHP and blame it for all the evil that exists on the internet. On one hand, I cannot blame them since the strength of PHP lies in the fact that anyone can write a dynamic website within a few minutes. The downside is also that anyone can write a dynamic website within a few minutes. So I understand where they are coming from. Do I like it? Nope.

During episode "In Flames - Application Security Weekly #44" they were picking on WordPress that released version 5.0.1 with a series of security updates for version 5.0.0 that was released a couple of days earlier. The host Keith Hoodlet's comment "WordPress, you should have this down by now, I think" got me all fired up.

I'm not knees deep in the inner workings of WordPress, but I do know that it's a vibrant, active community that just want to give users the best experience for the many users worldwide. The only time many security researchers are actually looking at the code (and vulnerabilities) is when the code is released. If half of them would take part in the development process before the release is done publicly, many of these issues can be tackled upfront.

But that's the thing with open source: people expect that everyone is on top of all the things and that you are fixing bugs in an instant. I've been in professional development since 1990 and I've seen over the past decades the industry putting more and more requirements on developers but not providing them the time to actually learn properly what needs to be known resulting in an ever lasting chase of the technology rabbit. Those who actually invest large portions of their off-work time to learn and adapt, understand what gap needs to be filled.

So after listening to the rants of both the show hosts Paul Asadoorian and Keith Hoodlet, I decided it was time for me to take on a new challenge for myself and the PHP community I love so much: I need to learn the security aspect of web application development in general and PHP in specifics so I can educate and mentor those in the community to build more secure, robust PHP applications so by the end of 2019 I can convince Paul and Keith that PHP is as secure as any other technology stack out there.

I don't know what I'm getting myself into as I have only a basic understanding of web application security (OWASP Top 10, OWASP Web Application Security Testing Cheat Sheet, PHP Security, PHP Security Consortium and the Basics of Web Application Security by Martin Fowler. I was also lucky that my compony partnered with RIPSTech who have a superb security scanner for all sorts of PHP vulnerabilities, and I love their annual PHP Security Advent Calendar where each day of December they are challenging the audience to identify the vulnerability.

Let me use this blog to share my experiences as I go through the process of learning security and I'm reaching out to my friends in the PHP and Testing community to come to my aid to point me to things I'm not yet aware of (the dreadful unknown unknowns). And hopefully I become a wiser developer by the end of 2019 so I can convince the hosts of Application Security Weekly that PHP is not better and not worse than any other technology.

Comments

Popular posts from this blog

Deploy Docker containers fast to Microsoft Azure

DEPLOY DOCKER CONTAINERS FAST TO MICROSOFT AZURE It’s hard to ignore the fact thatDockeris a way to move forward for rapid application development, distributed architectures and microservices. For developersDockeroffers great advantages as they can build their containers specifically for the task they work on. They grab a base image of a container, modify it for their purpose and prepare the functionality inside the container. Quality, testing and security teams now have a single instance to look at and ensure all functional and regulatory requirements are met. System engineers now don’t have to worry about providing a system with the required specs as the container is already provisioned for that purpose. But where do you deploy yourDockercontainers? You can set up your existing bare metal infrastructure to allow them to run containers, but this also means you need to learn about securing your container infrastructure, which is not an easy task. Luckily “the cloud” offers container …

Speeding up database calls with PDO and iterators

When you review lots of code, you often wonder why things were written the way they were. Especially when making expensive calls to a database, I still see things that could and should be improved.
No framework development When working with a framework, mostly these database calls are optimized for the developer and abstract the complex logic to improve and optimize the retrieval and usage of data. But then developers need to build something without a framework and end up using the basics of PHP in a sub-optimal way.

$pdo = new \PDO( $config['db']['dsn'], $config['db']['username'], $config['db']['password'] ); $sql = 'SELECT * FROM `gen_contact` ORDER BY `contact_modified` DESC'; $stmt = $pdo->prepare($sql); $stmt->execute(); $data = $stmt->fetchAll(\PDO::FETCH_OBJ); echo 'Getting the contacts that changed the last 3 months' . PHP_EOL; foreach ($data as $row) { $dt = new \DateTime('2015-04-…

PHP 7 and Apache on macOS Sierra

I posted several talks about compiling PHP from source, but everyone was trying to convince me that a package manager like Homebrew was a more convenient way to install. The purpose of Homebrew is simple: a package manager for macOS that will allow you to set up and install common packages easily and allows you to update frequently using simple commands. I used a clean installation of macOS Sierra to ensure all steps could be recorded and tested. In most cases you already have done work on your Mac, so chances are you can skip a few steps in this tutorial. APACHE AND PHP WITH HOMEBREW I’ve made this according to the installation instructions given on GetGrav. The installation procedures These installation procedures will set up your macOS Sierra with PHP 7.1 and Apache 2.4. Install Xcode command line tools (if not done yet)xcode-select --install Install Homebrew/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)" Set up for in…