PHP Remains Strong Despite Security Flaws

Over the course of May, the PHP community was hit with a barrage of more than 60 security issues. The security assault was all part of the Month of PHP Security (MOPS) effort, which disclosed the flaws.

But even after so many identified security issues in MOPS, PHP experts argue that the language is not necessarily insecure.

"Since none of the issues found were deemed as critical security issues, we don't consider any of them zero-day flaws," Andi Gutmans, CEO of PHP vendor Zend, told InternetNews.com.

Gutmans added that the vast majority of the flaws reported in PHP itself belong to a class of issues that requires local access to the server for the bug to be exploited. That would entail a scenario in which a developer is attacking his own server, which would have to be configured to permit access to run custom code.

"PHP was not designed to protect against such scenarios, and while it does some best-effort attempts to protect against casual hacking attempts, it doesn't pretend to promise bulletproof protection against untrusted developers with code access," Gutmans said. "As such, it's likely there are dozens of other similar issues in PHP, perhaps even more, and while we do consider them bugs, we don't consider them as critical security issues."

Rather, as a way to protect against privilege elevation, he recommends ensuring that security is properly configured at the operating-system level.

Among the reported MOPS issues are some that may be considered items that developer best practices can help to eliminate.

"PHP, like all development languages, is only as secure as the code people write in it," Gutmans said. "The main important thing developers have to know is that when they deploy a Web application -- whether it's written in PHP or in any other language -- they're deploying into a hostile world. It's therefore important for everyone to get security training."