LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Blogs > unSpawn
User Name
Password

Notices

Rate this Entry

PHP, aka Pretty Hosed Programming

Posted 01-11-2006 at 08:02 PM by unSpawn

If you've read the SANS Top 20 of 2005 (http://www.sans.org/top20/)) there is a clear message with respect to deploying PHP-driven applications: be paranoid or be cracked. A short tour of a few vulnerability reporting sites show that with programmers who can't be arsed to follow the most basic principles of programming, who force users to run their app with all essential security features off and with undereducated users running apps without questioning this will be another wonderful year for your average cracker. And you don't even have to use a searchengine as first line of recon since some developers "proudly" show off a list of sites running their app + versions. How cool is that.

Just like some sources contain testcases, so should PHP come with it's own checking tools (no I don't mean all those publicly accessable phpinfo, analyze and security pages). And if PHP developers or application programmers can't be taught to practice Safe Hex, then at least we need our own general auditing tool for PHP-driven deployment (like the Castelcops PHP-Nuke thingie). If not as standalone tool, then I think possible targets for inclusion could be Chkrootkit, Rootkit Hunter (nice piggyback, since popular, but probably out of their scope), Tiger, LSAT (Number9, not Mixter's).

Now how to find someone with the time to make a start with such an addon?..
Posted in Uncategorized
Views 836 Comments 0
« Prev     Main     Next »

  



All times are GMT -5. The time now is 09:35 PM.

Main Menu
Advertisement

My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration