NYCPHP Meetup

NYPHP.org

[nycphp-talk] PHP Pentration Discussion

Chris Shiflett shiflett at php.net
Sat May 28 16:58:17 EDT 2005


Rolan Yang wrote:
> What do you think if there was some sort of "security seal of approval"
> applied to scripts in a code archive?

It's a good idea but hard to achieve in practice. This requires that the 
code be audited and approved by a person or group of people qualified to 
do so. What criteria must one meet to be qualified to make such a 
judgment? Even assuming that a qualified group existed, how do they 
choose which code to audit? There is a lot of PHP code out there, and 
auditing code takes a very long time.

> I think having a library of secure code bits would be invaluable to all
> php programmers.

While not code, the PHPSC has tried to do this sort of thing with online 
resources, linking to resources that we feel can help security-conscious 
PHP developers (many resources are counter-productive, as Adam warned 
against). The result of this is a small library of links:

http://phpsec.org/library/

It's nothing earth-shattering, but you can at least feel a bit more 
comfortable knowing that a few people reviewed each of these resources 
and believe that there is something useful there.

Chris

-- 
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/



More information about the talk mailing list