PHP Security Architecture

[ EDIT: a comment I wrote in this entry referred to Laura Thomson as one of the reviewers of the OWASP Top 5 article. Although I have discussed other PHP related things with Laura, this article is not one of them. I’ve carefully reviewed my Sent folder during this time, and I’ve updated the reviewers in the article on the OWASP website. I apologize to Laura for bringing her into this sordid affair. ]

I have a comprehensive PHP security architecture for PHP 6 I’ve been developing, which I wanted to present to Chris for his comment, and if he felt it was good, possibly then ask Rasmus and Andi for a beer or two whilst I am at OSCON.

However, I’ve just had a very disturbing e-mail conversation with Stefan Esser, PHP security researcher, founder of Hardened PHP, and one of the initiators of He posted from his address, so I imagine he was talking to us (as in OWASP) in his PHP security bod at large capacity, but I’m not sure.

I’m now basically convinced that there is just no point trying to make PHP safe. The people involved are too poisonous and arrogant to change, therefore PHP will not change and become safe. My architecture would be attacked viciously but nothing would be done to put something like it in place. And without a decent architecture (mine or someone else’s), PHP is no safer than it is today, which is to say – not safe at all unless you know what you’re doing and can control php.ini, something most shared host users do not have the luxury.

The best bet for PHP is to kill it by letting the current development team make PHP 6.0 into even more of a niche that PHP 5.x is, and ensure that hosters become more and more locked into the insecure PHP 4.x. When the hosters get sick of rebuilding their virtual hosts all the time, it will become uneconomical to allow PHP to be on their hosts. They will take it off, and ask people to move to safer languages / frameworks.

It’s time for PHP to die.

Update… I’m not going to re-write history, so I’ve left the above text for you to see.

However, it’s not fair to the PHP community that we security folks argue amongst ourselves whilst their apps continue to fall victim to the same attacks, time after time. I will spend more time on the architecture and create a BoF at the conference to present it after spreading it around my coterie of PHP friends for advice and comment. I’d love to have everyone who has been so passionate about this article come see us at OSCON and see what I have in mind.

Published by vanderaj

Just another security geek

Leave a comment

Your email address will not be published. Required fields are marked *