The Register® — Biting the hand that feeds IT

Feeds
  • print
  • alert

Agentless Backup is Not a Myth

Yet, mistakes are still being made and in record numbers.

A search of the National Vulnerability Database revealed that, as of 15 December, out of the 6,198 vulnerabilities recorded in 2006, as many as 2,690 - or 43 per cent - had the word "PHP" in the description. A random sampling of the flagged flaws showed that the search appeared to only reveal issues in PHP applications. A search of the database using "PHP" as a vendor flagged some 84 vulnerabilities for 2006 (including in optional components of the language, such as PEAR), while a search using "PHP" as the product returned 33 bug, ostensibly in the core functions.

The vast numbers of bugs attributed to PHP applications is not surprising given that many amateur developers create their websites using the language, said NIST's Mell.

"I think it is tough for the general public to write secure dynamic web applications," he said. "As much as possible scripting languages for Web sites should be dummy proof. In many incidences, I, a security professional, wondered how to code some bit securely. I wanted to, but how to do it was not immediately obvious."

Flaws in PHP applications have caused headaches for many webmasters. A year ago, the Lupper worm spread among vulnerable applications that used the PHP extensions for extensible markup language (XML), or RPC-XML. Other worms have utilised flaws in popular PHP bulletin board programs as well.

Continuing to educate PHP developers on the latest techniques to secure their applications is extremely important, said Chris Shiflett, a manager in the web application security practice at OmniTI and author of O'Reilly's Essential PHP Security.

"To say PHP has a security problem suggests that it's impossible to develop a secure PHP application, but to say PHP doesn't have a security problem suggests that everything is perfect - neither is true," Shiflett said. "Web application security is a rapidly evolving discipline, and it's difficult for the average developer to keep up with the pace."

Developers need to start thinking about security as soon as start designing their applications, he said. Moreover, the focus on securing code needs to continue throughout the life of the website, he added.

"Over time, web application security should start to mature just as other security disciplines have, but that only means the pace of evolution will slow down, not stop," Shiflett said. This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

Steps to Take Before Choosing a Business Continuity Partner

Page:

Send Corrections

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
136
breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
61
Internet fraud still stings suckers
Australians twice as gullible as Americans
36
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
breaking news
Yahoo! joins! rivals! in! PRISM! data! request! admission!
Keep calm and carry on using American tech firms, folks
41
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17