PHP Security Redux

PHP security saga goes on:

Perhaps PHP should stand for Pretty Hard to Protect: A week after a prominent bug finder and developer left the PHP Group, data from the National Vulnerability Database has underscored the need for better security in PHP-based Web applications.

A search of the database, maintained by the National Institute of Standards and Technology (NIST), found that Web applications written in PHP likely account for 43 percent of the security issues found so far in 2006, up from 29 percent in 2005. While flaws in the language itself account for a very small percentage the total, the problems with PHP underscore the difficulty that developers--many of them amateurs--have in locking down applications written in the language, said Peter Mell, senior computer scientist for the NIST and the program manager for the National Vulnerability Database.

"In the dynamic programming language (and) scripting realm, we certainly have a problem," Mell said. "Any time a third or more of the vulnerabilities in a given year are attributed to a single language, you know you have a problem."

There are a couple of dynamics at work here. The first is evolution. Attackers evolve. They have learned a lot since 1995, so the SSL, Firewall, and a prayer security model of yesteryear is likely to stop only the lamest of script kiddies. Now when your opponent evolves, a logical response is to co-evolve and deal with the new attacks. We spent much of the 1990s witnessing open source security models that outpaced their closed source counterparts, who were more focused on customer demand for more chrome and cowbell than reliability.

Customers eventually realized that reliability was cool and open source has had a nice run servicing this demand and closed source product soon evolved to become more reliable as well. Now customers are also asking for security. Beyond the specialty security stacks, who will answer the call for increased security in general purpose LAMP stacks?