Education in PHP Security – What’s Needed?

As anyone that’s been around the PHP community recently (within the last six to nine months) knows, Chris Hartjes has taken up the lead in an effort to increase awareness about unit testing – really testing in general – of PHP applications. He favors things like test-driven development and having good tests to back up and reinforce a good resulting product. I admire him for his efforts (including his book) and I wonder if this same movement could be used to help kickstart a security testing “revolution” in the PHP community too.

For a long time, PHP has had an unfortunate reputation as being an insecure language to develop web-based applications in. The language itself has very few built-in security features and favors offering the ability to plug in techniques and tools of their own to make things secure. Unfortunately, this leaves a lot of the beginner level applications wide open to potential attacks. Developers aren’t immediately given options to do things like filter their data or secure the data they’re storing in their sessions. Most developers that I know that are just starting out with PHP don’t even know these sorts of things need to be done. They blindly accept user data and expect that nothing other than what they’re wanting will come through. Sadly, this sort of thing has lead to this insecure reputation – bad code written by inexperienced users. One of PHP’s best attributes is its low learning curve…and also its worst.

Many developers don’t even realize the need for security in the code they write until it’s too late. One day they wake up and – either because something they’ve written has been hacked or they read an article that talks about it – realize that they’ve been blind about protecting themselves and their data from Those People out on the web. This usually seems to happen about the time that most of them discover frameworks and how useful they can be. They start poking around what the framework has to offer and come across things like access control, user authentication and yes, maybe even secure session handling. A switch is flipped and the developer reacts in one of two ways – they take it as a charge to get better about their secure coding practices or they freak out and start going crazy with filtering, encryption and escaping.

Back to my original point – I wonder if it’s possible to take this momentum that Chris has gotten going and use it to encourage more testing for the security of applications up front. I’ve been doing what I can over on websec.io to try to help educate developers about things like secure coding practices, common infosec terms and information about securing their applications from would-be attackers, but it’s not enough. It’s not even a blip on the radar in what is a very serious matter that should be a consideration for all PHP developers.

Testing application security early, whether it be through the use of something like skipfish or a static code scanning tool, can save you time in the long run, just as unit testing your code helps track down and eliminate bugs faster. I want to promote early testing for security issues in applications and the mitigation of them, but I’m not sure how to reach developers in a way that they’ll listen.

Pádraic Brady has started up an effort to create a guide to some of the most common issues PHP developers might face and it’s off to a good start. I wonder if there’s more that can be done to help improve the security awareness in the PHP ecosystem, though. It seems like there’s a lot of content floating around out there that’s from the “stone age” of PHP security practices (filter input, escape output, blah blah blah) and not much about real-world, advanced threats that relate to PHP applications and current web technologies.

What would you like to see in a security resource that could help you, as a developer, make your code more secure? Do things like articles/tutorials encourage you to take a good long look at your code and try to “think like an attacker” or would more real-time interaction (screencasts or webinars) do more to help? I’m interested to see what the community thinks is a good approach to this.

Security is an important topic, no matter the language you’re working with. PHP just has more of an uphill battle than some other languages – help me make it a little bit easier.

13 comments

  1. Three things immediately come to mind after reading this. First there has to be a realization and effort to recognize the intended audience. I like the fact that you have identified newer developers as an audience, and I think it is important that the resources and sample code be crafted in such as way as to be digestible by developers at all levels.

    Second, I think it is key to get developers to understand the degree of security required based upon the nature of the application. In other words, when you need to apply what security measures, and how much is too much.

    Finally, I would think there is some challenge with instilling the idea that security is not a once and done solution. Web security evolves over time as new types of threats emerge, etc. and it is important to stay informed as to how security techniques are developing. Additionally, I would think that some information on how to make web security scalable and modular so that it can be readily adapted to new threats would also be useful.

    I am glad to see more emphasis on the subject, and appreciate your taking the time to write the article.

    1. @andrew – it’s always tough to say “how much is enough” for the usual developer. It’s so dependent on the application and all of the pieces that make it up. Sure, there’s some “best practices” that have been preached in the PHP community for a long time now (and that most developers seem to understand) but that’s only the tip of the iceberg. I’ve started trying to promote an overall security view instead of just a code-based one, but I’m starting to wonder if the code-centric approach is a better start. Developers “get” code :)

  2. There is ONLY ONE way to create a global awareness to “Education in PHP Security”. => TEAM WORK!
    A one or two or three person show is NOT enough. This should be a JOINT Mission among all PHP Developers in The PHP Community.

    – Organise sites like you mentioned
    – Create a strong PHP Circle
    – EVERY member of the circle SHOULD be ready to spread the word in all possible ways: their blog, portals, social networks..

    You cannot reach out and scream only in 1/8 corner of the world and hope EVERYONE or at least tje majority of people will come across it.

    That’s how I view things, TEAM WORK!

    1. @Khayrattee – I couldn’t agree more! Websec.io is only one site out there, but there’s others – some that have sadly fallen on disrepair – that have a wider audience (and seem to come up more readily in Google searches). I’ve been thinking about talking to a few people and updating work that’s already been done on these sites and improving it with more up to date information. But, like you said, it’s not really a job for one person. You have to engage the community and get the spark inside others too…that’s been the tricky part so far.

  3. Tutorials and books are nice but I have *always* been a sucker for screen casts, not quite sure why :)

    I think this is a very good idea to try to kickstart a movement about security like that of the unit testing, hell I know before Chris Harjes started this not many people I worked with could tell you there was even a term unit testing. With him bringing the attention to the front more and more beginners are starting to question what is Unit Testing. I know I have gotten the question from a few online acquaintances.

  4. Hey Chris,

    A very good incentive, but I think you should talk to Chris Shiflett as he has been the icon on security for PHP applications writing the book “Essential PHP Security” and given many talks regarding the subject.

    I agree with you, there’s not enough concern regarding security and we hope with the few security talks we have scheduled for PHPBenelux to put security back on everyone’s agenda. It has been away from conferences for much too long.

    Hit me on irc to discuss this topic a little further, as I still see security and testing is still the least concerned part of building applications.

    Michelangelo

  5. @chris To me it always circles right back to who the intended audience is, and the conundrum with this subject is that the audience is very diverse. This is true not only in skill level, but learning styles, and immediate need. I prefer to understand the overall concept and implement accordingly, or maybe to just read something that provokes enough thought to make we want to continue digging deeper.

    I sometimes wonder if approaches that are predominantly “code-centric” as you put it, just end up getting copy-pasted and people don’t really know why they are doing it. But the flip side of it is, if that is what someone wants, a quick copy-paste solution, then what’s worse… not understanding why you are doing it or just not doing it at all. Neither outcome is optimal that is for sure.

    Like Michelangelo, I also think highly of Chris Shiflett’s work in this arena; his book was easy for me to digest and then apply. I still find myself referring back to it for a refresher every now and again.

    Last thing, I hate being that guy who pontificates about how something should be done and then exits stage right. If you are looking for contributors or anything like that, feel free to drop me a line, would be glad to help.

    1. @andrew Chris and I (and Pádraic Brady) are talking about reworking the current version of the PHP Security Guide and revamping the efforts of the PHP Security Consortium to bring things up to date. Thanks for the feedback – I think the primary problem with most of the current information out there is that it is this “copy and pasted” information with minor alterations. I’ve even seen articles within the last few months that were 5 year old recommendations.

      I definitely think a resource with information on different levels is a must. Having something that talks to multiple areas – code, environment, current exploits, etc – would help a broad range of folks a bit better than just a few isolated articles will. I’m always happy to publish content on websec.io…email me if you want to contribute :)

  6. As someone who is making the move from CFML to PHP I would be interested in such a resource. Personally I prefer written articles and tutorials to screencasts and webinars. Thank you for the link to Pádraic’s site – I’ll check it out.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>