Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Brandon Savage's Blog:
Suhosin: The Invisible Hand Of PHP
Nov 18, 2009 @ 08:14:52

Brandon Savage has written up a look at the Suhosin patch for PHP (a project lead by Stefan Esser), what it can do for your PHP installation and his opinion on the benefits.

Last week, I received an email from someone who told me how the Suhosin patch had created problems for their team, and suggested that I write about it here. I thought this was a great idea, for a number of reasons. Particularly, Suhosin is one of those PHP patches that alters the way PHP operates in a fundamental fashion, yet also is installed by default in many places (for example, Ubuntu compiles this patch in by default on their installation).

He talks about some of the features it includes - disabling eval, not allowing for remote includes, makes it possible to modify the memory limit per script and allows you to set limits on the length of REQUEST arrays. He notes that, while the Suhosin patch is a good thing and can make a real difference in your application, it's by no means a requirement to creating a secure application (and shouldn't be used as a replacement for such).

There's also an interesting comment from Stefan Esser himself on the comments Brandon made in the post.

tagged: suhosin patch stefanesser security

Link:

ThinkPHP Blog:
Webinar: Create Secure LAMP Applications
Aug 21, 2008 @ 08:44:10

The ThinkPHP blog points out a recorded (German-only) webinar that Stefan Esser did covering the creation of secure LAMP applications.

Unfortunately, this Webinar was in German, but if you understand German you might be interested in the Webinar recording which is now available at MySQL's website.

The webinar looks at previous attack types, things that MySQL already includes to help prevent SQL injections, handling multi-byte caharacters and correct error handling.

tagged: lamp application secure webinar german stefanesser

Link:

Community News:
Stefan Esser in eWeek's Top 100 (Blogger Responses)
Apr 14, 2008 @ 11:11:47

Two bloggers have commented on the recent nomination of Stefan Esser to eWeek's "Top 100 Most Influential People in IT" - Ben Ramsey and Stas (on the PHP 10.0 Blog).

Ben congratulates Stefan for the nomination, for making the list when others in the PHP community didn't.

Stas, on the other hand, disagrees a bit with some of the comments made by the reporter that wrote up Stefan's piece:

I do not see how reporting a bunch of vulnerabilities (most of them fixed by the time of publication - for which thanks to Stefan Esser as the responsible reporter) is "thoroughly exposing the insecure nature of PHP". Bugs and bug reports - including ones that may affect security in one way or another - are nothing but commonplace in both open-source and non-open-source software worlds.

You can check out the full list for yourself on the eWeek site.

tagged: blog stefanesser influential people list

Link:

Community News:
Stefan Esser Named to eWeek's The 15 Most Influential People in Security Today
Feb 19, 2008 @ 07:59:00

As the ThinkPHP blog points out today, Stefan Esser has been named one of the "15 Most Influential People in Security Today" by eWeek.

If there's a security hole in PHP, chances are it was found by Stefan Esser, an open-source security specialist. Esser's advisories about flaws in Linux, NetBSD, Samba, Ethereal, CVS, Subversion, MySQL and PHP are legendary. [...] His "Month of PHP Bugs" project thoroughly exposed the insecure nature of the widely deployed PHP language and forced a rethink about security in the open-source world.

Check out the slideshow for other people in the list including Michal Zalewski of Google and Ivan Krstic of the "One Laptop Per Child" project.

tagged: stefanesser eweek security influential list slideshow

Link:

BlogSecurity.net:
Interview with Stefan Esser on WordPress
Jun 29, 2007 @ 17:16:00

On the PHP Security Blog today, Stefan Esser points out an interview he did with BlogSecurity concerning the current state of security on the WordPress software.

In the Interview they talk about several different aspects and security-related concerns including:

  • a previous critical SQL injection vulnerability in WordPress
  • Esser's general thoughts on the software
  • his recommendations for the WordPress team
  • improvements and suggestions for other blogging software he has

Check out this post on the BlogSecurity site for the complete interview.

tagged: wordpress interview stefanesser security wordpress interview stefanesser security

Link:

BlogSecurity.net:
Interview with Stefan Esser on WordPress
Jun 29, 2007 @ 17:16:00

On the PHP Security Blog today, Stefan Esser points out an interview he did with BlogSecurity concerning the current state of security on the WordPress software.

In the Interview they talk about several different aspects and security-related concerns including:

  • a previous critical SQL injection vulnerability in WordPress
  • Esser's general thoughts on the software
  • his recommendations for the WordPress team
  • improvements and suggestions for other blogging software he has

Check out this post on the BlogSecurity site for the complete interview.

tagged: wordpress interview stefanesser security wordpress interview stefanesser security

Link:

ThinkPHP Blog:
SektionEins: joined forces of Stefan Esser/Hardened PHP and Mayflower
May 24, 2007 @ 12:02:00

The ThinkPHP Blog has some new information posted about a collaboration between the Mayflower Group and Stefan Esser (and the Hardened-PHP Project) to create SektionEins.

SektionEins specializes in Web Application Security, supporting every web platform available out there. Of course there is some special knowledge in the area of PHP included and the Chorizo and Consulting experience does add a lot of Web2.0 knowhow.

With SektionEins both Suhosin and Chorizo found a new home. And so does Web Application Security.

Currently, the new service hasn't launched yet, but you can enter your email address to be notified when it's open for business.

tagged: mayflower stefanesser sektioneins mayflower stefanesser sektioneins

Link:

ThinkPHP Blog:
SektionEins: joined forces of Stefan Esser/Hardened PHP and Mayflower
May 24, 2007 @ 12:02:00

The ThinkPHP Blog has some new information posted about a collaboration between the Mayflower Group and Stefan Esser (and the Hardened-PHP Project) to create SektionEins.

SektionEins specializes in Web Application Security, supporting every web platform available out there. Of course there is some special knowledge in the area of PHP included and the Chorizo and Consulting experience does add a lot of Web2.0 knowhow.

With SektionEins both Suhosin and Chorizo found a new home. And so does Web Application Security.

Currently, the new service hasn't launched yet, but you can enter your email address to be notified when it's open for business.

tagged: mayflower stefanesser sektioneins mayflower stefanesser sektioneins

Link:

Jeremy Privett's Blog:
Speaking of egotistical...
May 20, 2007 @ 14:43:06

Jeremy Privett is back with a few more thoughts on the PHP community, specifically focused on one developer - Stefan Esser.

Just reading the title of the entry through my Live Bookmarks in Firefox, I can't help but think "Thank you, Stefan, for fixing a security vulnerability in PHP and making the language that I love that much more solid and secure." - Okay, maybe that was a bit of an exaggeration, but it needs to be said that Stefan Esser does do PHP a good service through finding and reporting these kinds of vulnerabilities.

He goes on to talk about the other side of the situation, the actions of Esser that could lead to this sort of situation:

I know he's got his reasons for having issues with the developers, and if everything he's constantly ranting and raving about is indeed true, all the more reason to have issues. But do not lower yourself to their level, if that's the case. Constantly and consistently belittling PHP Developers and Zend Employees, whether on your blog or in the PHP Internals list itself, does not make you any better than them.

Jeremy suggests that these sort of actions (and reactions) aren't helping the PHP community step up to become seen as a more "Enterprise quality" language.

tagged: community stefanesser community comments community stefanesser community comments

Link:

Jeremy Privett's Blog:
Speaking of egotistical...
May 20, 2007 @ 14:43:06

Jeremy Privett is back with a few more thoughts on the PHP community, specifically focused on one developer - Stefan Esser.

Just reading the title of the entry through my Live Bookmarks in Firefox, I can't help but think "Thank you, Stefan, for fixing a security vulnerability in PHP and making the language that I love that much more solid and secure." - Okay, maybe that was a bit of an exaggeration, but it needs to be said that Stefan Esser does do PHP a good service through finding and reporting these kinds of vulnerabilities.

He goes on to talk about the other side of the situation, the actions of Esser that could lead to this sort of situation:

I know he's got his reasons for having issues with the developers, and if everything he's constantly ranting and raving about is indeed true, all the more reason to have issues. But do not lower yourself to their level, if that's the case. Constantly and consistently belittling PHP Developers and Zend Employees, whether on your blog or in the PHP Internals list itself, does not make you any better than them.

Jeremy suggests that these sort of actions (and reactions) aren't helping the PHP community step up to become seen as a more "Enterprise quality" language.

tagged: community stefanesser community comments community stefanesser community comments

Link: