PHP community taking stand against vulnerabilities

PHP is a coding language that tends to be mocked quite heavily among members of the cybersecurity community. While the server-side scripting language certainly is not the worst to code in, it tends to be a source of numerous exploits due to easily made mistakes in coding. The reasons for this are varied, but it is clear that those who love the language are tired of the security issues that PHP has long been known for.

As reported by Catalin Cimpanu of Bleeping Computer, well-respected members of the PHP community have formed an alliance called FriendsOfPHP. The goal of FriendsOfPHP is to prevent PHP libraries with vulnerabilities from getting installed. To accomplish this, the group has created a GitHub page under the project name PHP Security Advisories Database.

The database is loaded with, in Cimpanu’s words, “a giant guide of what versions of what PHP project or library is safe to use or safe to update to.” It has had some success already on GitHub and now has caught the attention of the Roave Security Advisories, which have decided to integrate the FriendsofPHP project into their own work.

The result of this integration is the ability for PHP developers to ensure that zero-days are not installed. The reality is, however, that the FriendsOfPHP movement still needs to gain attention in order for it to work. Until every PHP developer is aware of the project there will still be individuals who accidentally install exploitable PHP code.

To drive home the point in this article, these words, taken from an interview that Scott Arciszewski, chief development officer at Paragon Initiative Enterprise, did with Bleeping Computer, really sum up why every PHP coder should employ this database:

The how to handle advisories for projects that haven’t fixed them yet? question has been answered, so this should become a reliable way to stop people from running vulnerable code... If you think it’s dangerous to install dependencies from projects that responded to vulnerability disclosures with meh, add [Roave/SecurityAdvisories] to all your Composer projects today.

So the question to PHP devs is: What are you waiting for?

Photo credit: Pixabay

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Azure DevOps Wiki: Manage your project documentation and collaboration

Not being able to find project documentation is way too common. Use Azure DevOps’ built-in…

2 days ago

Samsung Unpacked 2020: Galaxy S20, Galaxy Z Flip, and more

Samsung is again the first major company to roll out new smartphones in the new…

2 days ago

PhotoSquared data leak exposes users’ photos, information

PhotoSquared has experienced a data leak, mainly because the popular U.S.-based photo app failed to…

3 days ago

Moving data from an Azure VM to Storage Account with AzCopy

Here’s an elegant and modern way to move data from your Azure virtual machine to…

3 days ago

A lot not to like: Analysis of recent Facebook data breach

The effects of the recent Facebook data breach are still being felt. In this new…

3 days ago

Exchange 2019: Building an environment from scratch

Are you finally ready to take the plunge into Exchange 2019? If you are building…

4 days ago