PHP community taking stand against vulnerabilities

PHP is a coding language that tends to be mocked quite heavily among members of the cybersecurity community. While the server-side scripting language certainly is not the worst to code in, it tends to be a source of numerous exploits due to easily made mistakes in coding. The reasons for this are varied, but it is clear that those who love the language are tired of the security issues that PHP has long been known for.

As reported by Catalin Cimpanu of Bleeping Computer, well-respected members of the PHP community have formed an alliance called FriendsOfPHP. The goal of FriendsOfPHP is to prevent PHP libraries with vulnerabilities from getting installed. To accomplish this, the group has created a GitHub page under the project name PHP Security Advisories Database.

The database is loaded with, in Cimpanu’s words, “a giant guide of what versions of what PHP project or library is safe to use or safe to update to.” It has had some success already on GitHub and now has caught the attention of the Roave Security Advisories, which have decided to integrate the FriendsofPHP project into their own work.

The result of this integration is the ability for PHP developers to ensure that zero-days are not installed. The reality is, however, that the FriendsOfPHP movement still needs to gain attention in order for it to work. Until every PHP developer is aware of the project there will still be individuals who accidentally install exploitable PHP code.

To drive home the point in this article, these words, taken from an interview that Scott Arciszewski, chief development officer at Paragon Initiative Enterprise, did with Bleeping Computer, really sum up why every PHP coder should employ this database:

The how to handle advisories for projects that haven’t fixed them yet? question has been answered, so this should become a reliable way to stop people from running vulnerable code... If you think it’s dangerous to install dependencies from projects that responded to vulnerability disclosures with meh, add [Roave/SecurityAdvisories] to all your Composer projects today.

So the question to PHP devs is: What are you waiting for?

Photo credit: Pixabay

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Share
Published by
Derek Kortepeter

Recent Posts

Exchange errors: Common problems and commonsense fixes

Exchange errors are the curse of every IT admin’s job. Here are some common issues you may face — and…

51 mins ago

Losing your edge? 7 free tools to keep you focused at work

Staying focused at work in an always-connected world is hard! Here’s how to use tech — and some free tools…

17 hours ago

What’s next in the evolution of biometrics and facial recognition technology?

Facial recognition technology has matured to the point of being reliable — for better or for worse. What does the…

22 hours ago

Locking down your Exchange server with cipher suites

Cipher suites are a set of algorithms you need to secure your environment, either by using SSL and TLS. Here’s…

1 day ago

AI cyber risks: What to look out for when deploying AI technology

Artificial intelligence has greatly improved modern life. But businesses must recognize that AI cyber risks exist and take appropriate measures.

2 days ago

Review: Office 365 synchronizing and administration tool CiraSync

CiraSync offers an enterprise solution for syncing global address list contacts and calendars to smartphones and other mobile devices. Here’s…

2 days ago