If you've been following the debate between Chris Shiflett and Robert Peake, there's a new chapter in the struggle in a new posting over on Robert's weblog.

OK, so maybe Chris didn't say "security is what happens between input and output." But I do. The truth is that a PHP developer really only has control over these two deceptively simple components of the application. [...] The PHP developer, however, has a specific responsibility to make the "black box" he codes in as airtight as possible. And the way to make that happen is to focus on two domains: input, and output.

This raises another pretty interesting point: most PHP developers aren't.

They're systems administrators, network administrators, and sometimes CISOs for everything web-facing. Should they be? Can this go on in the enterprise? Can seasoned PHP veterans trust junior admins to do the job when it comes to setting up everything around the code they will write?

He does raise some interesting points, especially about the primary responsibilities of PHP coders out there - and how many of them really aren't dedicated to it. He also asks a *very* important question: So where do we draw the line, divide up the responsibility, and make sure applications are safe end-to-end? Really, there is no clear dividing line to follow on this. You can try to set a standard for PHP security, but there will always be multiple exceptions to the rule - that's just the nature of programming. There is, however, one thing that can be done, clearly stated by Robert:

Time for developers to focus on secure development, and the rest of the enterprise to step up to do their part in sustaining a secure end-to-end web application.