PHP is a coding language that tends to be mocked quite heavily among members of the cybersecurity community. While the server-side scripting language certainly is not the worst to code in, it tends to be a source of numerous exploits due to easily made mistakes in coding. The reasons for this are varied, but it is clear that those who love the language are tired of the security issues that PHP has long been known for.
As reported by Catalin Cimpanu of Bleeping Computer, well-respected members of the PHP community have formed an alliance called FriendsOfPHP. The goal of FriendsOfPHP is to prevent PHP libraries with vulnerabilities from getting installed. To accomplish this, the group has created a GitHub page under the project name PHP Security Advisories Database.
The database is loaded with, in Cimpanu’s words, “a giant guide of what versions of what PHP project or library is safe to use or safe to update to.” It has had some success already on GitHub and now has caught the attention of the Roave Security Advisories, which have decided to integrate the FriendsofPHP project into their own work.
The result of this integration is the ability for PHP developers to ensure that zero-days are not installed. The reality is, however, that the FriendsOfPHP movement still needs to gain attention in order for it to work. Until every PHP developer is aware of the project there will still be individuals who accidentally install exploitable PHP code.
To drive home the point in this article, these words, taken from an interview that Scott Arciszewski, chief development officer at Paragon Initiative Enterprise, did with Bleeping Computer, really sum up why every PHP coder should employ this database:
The how to handle advisories for projects that haven’t fixed them yet? question has been answered, so this should become a reliable way to stop people from running vulnerable code... If you think it’s dangerous to install dependencies from projects that responded to vulnerability disclosures with meh, add [Roave/SecurityAdvisories] to all your Composer projects today.
So the question to PHP devs is: What are you waiting for?
Photo credit: Pixabay