In a new post to the PHP.cc site today Arne Blankerts reminds us that not all security is about writing good code and handing data correctly - it's also about the systems they run on.

What seems to be so obvious for road traffic and its rules seems to be less obvious for many web developers. They tend to slack on defining (and monitoring) what is happening at the application level as well as the infrastructure level of their application. It is not enough to run a default install of your operating system of choice, add whatever services you need, and hope for the best. Considering the amount of money as well as damage to reputation, either directly due to fraud and abuse or indirectly by time lost to recover a hacked system or software, the "let's hope for the best" approach is of arguable quality. And we are not even considering general bugs here.

He mentions configuring the server, OS and network to ensure a higher level of security, noting that no matter how much work is put into secure code, if the attacker can get to points on the system they shouldn't, your app is still vulnerable.

But how can you tell if someone is actually trying to break in? Pretty much exactly as the police does for road traffic: with speed checks and by patrolling. A properly configured firewall will show as well as inhibit any unauthorized communication within the network and all you need to do is monitor the vital signs of your infrastructure.

Stuart Herbert has put together a series of posts detailing how to get the Phix component creation and management tool installed on various operating systems.

Phix makes it extremely easy to create and maintain your own PEAR-installer compatible components for reuse in your PHP applications. Installation takes just seconds, and it's both open-source and framework-agnostic!

The OS guides help you get it installed for:

• OSX
• Fedora
• Ubuntu
• Debian
• CentOS

For more information about Phix (including helpful "getting started" details) check out the project's website.

PHP-Code.net has posted the third part of their series looking at ways you can help to secure your PHP-based application. This time, though, the focus is all on the server side - Apache/MySQL/etc.

This is the last part of this tutorial where I tell you a few things about securing PHP on the server, about securing MySQL and Apache. [...] Also, you have to keep in mind that you must know on what operating system your server runs in (UNIX, Linux, Mac OS or Windows) because this has to be secured too. This article is not intended to present this step, but I thought that is good to know that too.

He starts the article with a few tips on shopping for a web host (if you don't already have one, of course) including encouraging the web host's admins to keep up with patches and apply them quickly. He includes a few helpful hints on securing the Apache side of things like setting ServerSignature to Off and ServerTokens to Prod. For MySQL his tips include updating to the latest version and for PHP, using the Suhosin patch to ensure some of the major issues caused by insecure PHP programming can be covered.

In this new post to the Ibuildings blog, Ivo Jansch talks about the recent experience he had attending the Microsoft Professional Developers Conference in Los Angeles, CA.

I was invited to this conference by Microsoft (thanks Bram!) because Microsoft is opening up to the PHP community, and I must say that so far they haven't disappointed me.

He talks about what Microsoft had to show off including Azure, a cloud operating system that, in the future will be adapted to allow PHP applications to be run on it.