On the Zend Developer Zone Cal Evans has posted an article about a topic that's always hot in any development community - security. In his post, "On Security and PHP", he comments on some recent metrics reported by a larger application security company and provides a bit more realistic view into the world of PHP security (and some possible downfalls of their metrics).
Yet another consultant group has decided that their traffic stats are too low so they need to “shake things up a bit”. As usual, they picked PHP as the whipping boy. No, I am not going to link to them; too many people are already doing that unironically. [...] So we have a consulting group that has discovered that compiled languages have fewer security issues than dynamic languages. In other news, water is wet. This insight isn’t a revelation to anyone who has worked with a compiled language.
He also points out the leap they make between the PHP-related results to the two pieces of software that power a large part of the web, WordPress and Drupal. He mentions the recent installation statistics published by Jack Skinner and how, when it boils down to keeping the actual language secure, nothing is better than keeping things patched. Cal summarizes the current state of things (and where we should be heading) well:
We can all agree that PHP code used to be notoriously insecure due in part to it’s low point of entry, but so was the entire Internet. As we learn, we are writing better and more secure code. Sadly reports like the one highlighted here do nothing more than perpetuate old stereotypes. The truth is that yes, PHP code has flaws, much like Python code, node.js code, and Ruby code. We’ve got fewer this year than last, and hopefully, we will have fewer next year. We are getting better. Sadly, not all applications get better at the same rate. Some people just will not bother to patch old code. That is not a language problem, that is a people problem. (It doesn’t lessen the importance of the problem, but let’s at least properly identify it)