Article by Brent Huston (MicroSolved), originally published at stateofsecurity.com - January 2009

curlyokayΑσφάλεια

18 Νοε 2013 (πριν από 4 χρόνια και 1 μήνα)

139 εμφανίσεις

Article by Brent Huston (MicroSolved), originally published at stateofsecurity.com - January 2009
PHP Threats Continue to Rise But More Work & Education Could Help
Threats against web applications developed in PHP continue to be an area of high activity and interest for attackers. PHP
applications now represent a significant portion of the web-application attack footprints we see in our HoneyPoint
Internet Threat Monitoring Environment (HITME). PHP scans and probes for new and emerging vulnerabilities are a
common occurrence and one the driving forces behind our deployment of the HITME. Our unique insights into ongoing
threat activities allows our vulnerability management and professional services clients to know that they are better
protected, even against bleeding edge threats.
PHP security issues are so common that the folks at BreakingPoint Labs
call it “one of the most commonly attacked
pieces of software on the Internet today”. Even when deployed in so called, “safe mode”, PHP applications can still
present a high level of risk. Until, at least, the release and wide scale adoption of PHP 6, issues are likely to continue to
abound, maybe even beyond that if the attacker underground has anything to say about it.
PHP security problems also represent a major portion of known web vulnerabilities, especially over the course of 2008.
Syhunt, the makers of Sandcat Pro
, a web application vulnerability scanner and partner to MSI, has even created
Sandcat4PHP
, a special source code scanner to help organizations proactively secure their PHP applications during
development. Recently, Syhunt created these images
that show the impact that PHP vulnerabilities are having on their
work. PHP security issues represent an overwhelming margin of their work for the year.
All of this is not to say that PHP development is a bad thing. In fact, PHP developed applications have empowered many
new cutting edge applications, fueled the growth of web 2.0 and been a powerhouse for bringing average users the web
maturity that they have come to expect. Combining the ease of PHP with the power of MySQL, Apache and other open
source tools has become a virtual standard for the online world. PHP applications CAN BE DONE SECURELY, they just
require additional work and effort to create secure code, just like any other language. The ease of PHP makes it a great
language for learning development, but we, as a community, need to help even those budding developers among us
learn the basics of creating secure code. Techniques like input validation, proper sanitization, strong authentication and
role-based access controls need to be a core part of our outreach teaching to developers.
In the meantime, while education is being worked on, it might be a wise idea to take a check around your environment
and audit any PHP applications in production or planned for use in the near future. Additional work, tools or monitoring
may be required to better handle the risk you find. Let us know if we can be of any help or if you desire additional insight
into PHP security problems. Keep your eyes on PHP, though, its powerful, flexible capabilities make it a big player in the
future of the web!
Web Application Security
Article by Brent Huston (MicroSolved), originally published at stateofsecurity.com - January 2009
PHP Threats Continue to Rise But More Work & Education Could Help
Threats against web applications developed in PHP continue to be an area of high activity and interest for attackers. PHP
applications now represent a significant portion of the web-application attack footprints we see in our HoneyPoint
Internet Threat Monitoring Environment (HITME). PHP scans and probes for new and emerging vulnerabilities are a
common occurrence and one the driving forces behind our deployment of the HITME. Our unique insights into ongoing
threat activities allows our vulnerability management and professional services clients to know that they are better
protected, even against bleeding edge threats.
PHP security issues are so common that the folks at BreakingPoint Labs
call it “one of the most commonly attacked
pieces of software on the Internet today”. Even when deployed in so called, “safe mode”, PHP applications can still
present a high level of risk. Until, at least, the release and wide scale adoption of PHP 6, issues are likely to continue to
abound, maybe even beyond that if the attacker underground has anything to say about it.
PHP security problems also represent a major portion of known web vulnerabilities, especially over the course of 2008.
Syhunt, the makers of Sandcat Pro
, a web application vulnerability scanner and partner to MSI, has even created
Sandcat4PHP
, a special source code scanner to help organizations proactively secure their PHP applications during
development. Recently, Syhunt created these images
that show the impact that PHP vulnerabilities are having on their
work. PHP security issues represent an overwhelming margin of their work for the year.
All of this is not to say that PHP development is a bad thing. In fact, PHP developed applications have empowered many
new cutting edge applications, fueled the growth of web 2.0 and been a powerhouse for bringing average users the web
maturity that they have come to expect. Combining the ease of PHP with the power of MySQL, Apache and other open
source tools has become a virtual standard for the online world. PHP applications CAN BE DONE SECURELY, they just
require additional work and effort to create secure code, just like any other language. The ease of PHP makes it a great
language for learning development, but we, as a community, need to help even those budding developers among us
learn the basics of creating secure code. Techniques like input validation, proper sanitization, strong authentication and
role-based access controls need to be a core part of our outreach teaching to developers.
In the meantime, while education is being worked on, it might be a wise idea to take a check around your environment
and audit any PHP applications in production or planned for use in the near future. Additional work, tools or monitoring
may be required to better handle the risk you find. Let us know if we can be of any help or if you desire additional insight
into PHP security problems. Keep your eyes on PHP, though, its powerful, flexible capabilities make it a big player in the
future of the web!