PHPSecInfo

Wednesday, April 04, 2007

Not going to OSCON this year

FFSC_Pouting-child.jpgI’m pretty bummed: I won’t be able to go to OSCON this year. I got the standard rejection letter for my talk proposal on PHPSecInfo. It’s kind of frustrating, not just because this means there’s no way I can go (I can’t afford to send myself, and it’s not in the work budget), but because there’s no feedback given at all. I understand why they don’t, but I wish I knew more about why I didn’t make the cut.

Phooey.

, , ,
Posted in PHPSecInfo, My Projects, PHP by funkatron on 04/04 at 05:26 PM
(2) Comments

Thursday, March 29, 2007

Determining if a function is *really* available in PHP

After pounding for a few hours, I think I finally got the UID and GID tests for PHPSecInfo in an acceptable state. Two things have made this hard:

  1. You can really only do this with an exec() call to the “id” UNIX command, or the posix_* functions, either of which are frequently disabled
  2. There basically is not a foolproof way to programatically tell if a function is available or not in PHP

2 is the real rub, and quite annoying. is_callable() will return TRUE even if a function has been disabled in php.ini with disabled_functions (which, in my mind, is contrary to what “is_callable” implies). function_exists() will return FALSE if the function is disabled in php.ini, but will return TRUE if the function is being blocked by safe_mode.

For now, the tests try exec('id') first, seeing if it passes function_exists() and safe_mode is disabled. If it fails those, the posix_* functions are checked against function_exists (they aren’t affected by safe_mode. If those fail as well, the test will be skipped.

, , , , , , , ,
Posted in PHPSecInfo, My Projects, Development, PHP by funkatron on 03/29 at 01:02 AM
(0) Comments

Thursday, March 22, 2007

Audio from PHPSecInfo presentation

The video I recorded of my talk was fairly crappy, but I still intend to re-encode and upload it. For now, here is the audio from the talk in mp3 format. You can still get the slides, too.

Audio: http://funkatron.com/wp/wp-content/Defending%20Web%20Applications%20With%20PHPSecInfo.mp3 Slides: http://funkatron.com/wp/wp-content/defending-web%20applications-with-PHPSecInfo.pdf

, , , ,
Posted in PHPSecInfo, My Projects, Development, InfoSec, The Web Problem, PHP by funkatron on 03/22 at 03:22 PM
(1) Comments

Wednesday, March 21, 2007

Slides from PHPSecInfo presentation

Get your PDF on:

Defending Web Applications with PHPSecInfo

I did this presentation yesterday as part of the 8th Annual CERIAS Information Security Symposium.

Video forthcoming.

, , , ,
Posted in PHPSecInfo, InfoSec, The Web Problem, PHP by funkatron on 03/21 at 08:06 AM
(4) Comments

Sunday, March 18, 2007

So what is the state of secure development in PHP?

NIST NVD Data 2006.002.png

Click for the image if it’s cut off

PHP Applications by themselves account for over 40% of all NIST NVD entries in 2006.

We need more than new frameworks. We need new paradigms for PHP development.

, , , ,
Posted in PHPSecInfo, Development, InfoSec, The Web Problem, PHP by funkatron on 03/18 at 12:10 PM
(0) Comments
Page 3 of 5 pages « First  <  1 2 3 4 5 >