if you really want to get into a conversation about security... it might be time to try to figure out how to create a security app/process which could be used to validate that an app is secure. the process could be a function of an automated app that looks/inspects code, as well as a manual process that inspects different portions of the app's logic/structure. there are a number of commercial code analyzers, although i don't know of any off the top of my head for php/web source based apps... might be time to seriously look at creating such an app/service.. there would probably be funding for this kind of app... ps.. this kind of app would not be trivial to create!!! -bruce -----Original Message----- From: Chris Shiflett [mailto:shiflett@xxxxxxx] Sent: Tuesday, November 08, 2005 12:08 PM To: Gustavo Narea Cc: php-general@xxxxxxxxxxxxx Subject: Re: Re: Security Issues - Where to look? Gustavo Narea wrote: > By the way, I liked the link that Pablo suggested: > http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/ Be careful. There is a lot of misinformation out there regarding PHP security, and this article is a good example. Here's something that caught my eye: "The second solution is to only store their username and password in a cookie, and with every call to the script, validate the username and password and verify if the user is an administrator." If the problem is how to expose a user's sensitive data as much as possible, then this is a solution. However, I doubt that's the intent. This is such a common mistake that it is something I specifically search for when auditing a PHP application, as I mention in this talk: http://brainbulb.com/talks/php-security-audit-howto.pdf The PHP Security Consortium is trying to resolve this problem of misinformation in a positive way (we don't want to disparage people's hard work and spread bad vibes). We've created a library of links to approved resources that we've read through to make sure the advice given is sound. You can find this library here: http://phpsec.org/library/ Hope that helps. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
