PHPEverywhere has a new post today with a list of things that, having just been through a security audit, he notes are similar to it and all of the ones prior.

As we continue to develop what I like to think is Enterprise PHP software, one of the most painful parts of the software installation is when we have to go through security audits. The most sticky and difficult ones that i have seen are the audits of financial institutions.

After a while, the requirements are pretty similar, but to pass our first audit wasn't easy. Here's a sampling of what was required...

Some of the things are pretty much common sense (like installing things like Tripwire and having passwords encrypted), but things like breaking up important passwords/accounts to 2 or more people and a test of cross-site scripting might be harder to take care of.

Has anyone else out there had much experience with audits on their PHP applications? If so, how'd it go?