26th August, 2008

Is PHP vulnerable software?

Thanks to Ivo Jansch, I spotted Matt Assay mentioning in his article on cnet that PHP headlines in IBM’s list of most vulnerable software and I have to say this is complete balderdash on the part of IBM.

He quotes from the report:

Another commonality between these three vendors is that they are all written in PHP. If we look back over last year’s disclosures and apply the new CPE methodology to them, we would uncover another newcomer to the top five list, PHP itself, which would rank number four in the 2007 top five vendor list.

What are featuring in IBM’s top ten of vulnerable that makes the report insinuate that the PHP language is a security risk are Jooma, WordPress and Drupal. How PHP would feature in a list of “vendors” is beside the point – if a construction company were to build a house where the windows don’t close fully, the security alarm doesn’t work and where bare wires are exposed you don’t “blame” the windows, alarm system and cabling. The responsibility rests with the construction company and/or the individual contractors hired by that company. Similarly, we can’t “blame” PHP for bad software architecture and security risks present in Joomla, WordPress or Drupal – the onus is on the software developers and architects to design secure [web] applications.

They should, at the least, ensure input data is of the expected type, of certain values; handle uploaded files in a secure and cautious manner that they don’t overwrite files crucial to the health/security of the system running the application or the application itself; use an audit trail for checking against attacks, ensure security in depth against SQL injections, Cross Site Vulnerabilities, Command Injection and … I could go on but won’t – search for php security best practices, get the Zend PHP 5 Certification Study Guide, check out the library resource at the PHP Security Consortium.

Now where’s ruby, cobol, C, and z80A assembly language on that list? And why is Linux mentioned there as a vendor?

Posted at 12:47 pm | Comment (0)

Recently

• 8000 commits
• Extending Clutter-Box2d
• shiny langtag library
• libreoffice help ported to clucene
• cross-compiling LibreOffice for windows (mingw32) under Fedora

Archives

• May 2012
• March 2012
• February 2012
• November 2011
• October 2011
• September 2011
• August 2011
• July 2011
• June 2011
• May 2011
• April 2011
• March 2011
• February 2011
• January 2011
• December 2010
• October 2010
• September 2010
• August 2010
• June 2010
• May 2010
• April 2010
• March 2010
• February 2010
• January 2010
• December 2009
• November 2009
• October 2009
• September 2009
• August 2009
• July 2009
• June 2009
• May 2009
• April 2009
• March 2009
• February 2009
• January 2009
• December 2008
• November 2008
• October 2008
• September 2008
• August 2008
• July 2008
• December 2007
• December 2005
• April 2005

Categories

• 11
• 12
• 16
• 1702
• 2
• 20
• 21
• 4
• 9
• Haskell
• linux
• OpenSource
• openstreetmap
• pear
• php
• review
• Site News
• Sunday Reading
• Uncategorized

Links

WordPress.com
WordPress.org