Friday, November 4, 2011

PHP in Secure Environments

While PHP is by far the most popular framework for web development, according to BuildWith Trends (2011) its popularity is actually on a decline – the graph posted on the website is from 2007. Newer technologies such as ASP.NET Ajax, Ruby on Rails, Adobe Flex and Microsoft Silverlight are gaining larger market share (BuildWith Trends, 2011). On the other hand, the PHP framework is being actively developed and supported therefore its popularity does not play a major role when discussing security of the environment.
When discussion secure e-commerce environment, in many cases the choice of the development language itself is not the major influencing factor in the overall security stance. In many cases, the hackers are targeting misconfigured or outdated services rather than trying to exploit vulnerability such as buffer overflow in the language interpreter (Verizon RISK Team, 2011). Moreover, Open Web Application Security Project (OWASP) Top 10 web application security risks highlight the fact that majority of exploitable vulnerabilities are related to the web server such as misconfiguration and insufficient transport layer protection, and the security awareness of the software developers such as injection, cross site scripting and insecure direct object reference (OWASP, 2010).
Security awareness of software developers is considered by many security experts as the main factor impacting the risk exposure of a web application (Dafydd Stuttard and Marcus Pinto, 2011). Lets consider SQL injection as an example; while the SQL injection vulnerability was first documented in 1998 (rain.forest.puppy, 1998) and ranked as a number one security risk by the Open Web Application Security Project (OWASP, 2010), the code such as (potentially vulnerable to SQL injection):
Select * from products where productCode=' " . $prodcode . " ' "
still appears in the university lecture notes (Laureate Online Education, 2007).
Organizations such as PHP Groups and PHP Security Consortium provide guides on security of PHP deployment and secure code development using PHP. In addtion, the guide (PHP Security Consortium, 2005) covers topics such as input validation, database and SQL injections, session management and issues related to shared hosts.


No comments:

Post a Comment