These are not the Vulnerabilities you are looking for...
232 views
Skip to first unread message
Pádraic Brady
Sep 4, 2012, 7:37:29 AM9/4/12
to phps...@googlegroups.com
I wrote a whole blog post, and now I'm expected to write an intro email? Seriously?
This Technical Group does not exist...yet. If you want it to - it's up to you to determine what it should be doing. I have been writing a PHP Security book, for example. As far as I'm concerned, if the PHPSECTG actually takes off - the book will be transferred to TG stewardship. Nice wee nugget of something concrete and tangible.
Some of you will have your own security resources online or elsewhere. The purpose of the TG is NOT to control these. Its purpose is to see if they are worth supporting, publicising and lending them weight as an authorative source of information.
The TG's goal, in my lonely mind-of-one, is to upset the balance and challenge the status-quo.
That's all I have. It's no longer MY group - it's YOUR group. Start making noise. I'm not a Benevolent Dictator around here. I lost control the moment one of you joined this mailing list and cut my vote to 50%. Wait, who the heck made it 25%? Hey, quit that!
Paddy
This Technical Group does not exist...yet. If you want it to - it's up to you to determine what it should be doing. I have been writing a PHP Security book, for example. As far as I'm concerned, if the PHPSECTG actually takes off - the book will be transferred to TG stewardship. Nice wee nugget of something concrete and tangible.
Some of you will have your own security resources online or elsewhere. The purpose of the TG is NOT to control these. Its purpose is to see if they are worth supporting, publicising and lending them weight as an authorative source of information.
The TG's goal, in my lonely mind-of-one, is to upset the balance and challenge the status-quo.
That's all I have. It's no longer MY group - it's YOUR group. Start making noise. I'm not a Benevolent Dictator around here. I lost control the moment one of you joined this mailing list and cut my vote to 50%. Wait, who the heck made it 25%? Hey, quit that!
Paddy
richardjh
Sep 4, 2012, 5:06:31 PM9/4/12
to se...@googlegroups.com, phps...@googlegroups.com
Paddy,
I am sure my presence in this group will prove to be of little consequence but I just want to say thanks for kicking things off and if nothing else if this group can stop people posting things like http://www.w3schools.com/php/php_mysql_insert.asp we can hopefully save a few poor souls.
Richard Holloway
I am sure my presence in this group will prove to be of little consequence but I just want to say thanks for kicking things off and if nothing else if this group can stop people posting things like http://www.w3schools.com/php/php_mysql_insert.asp we can hopefully save a few poor souls.
Richard Holloway
Wayne Duran
Sep 4, 2012, 7:39:19 PM9/4/12
to se...@googlegroups.com, phps...@googlegroups.com
I'm very interested. What can a non-expert like me do to help?
Jeremy Hutchings
Sep 4, 2012, 7:55:24 PM9/4/12
to se...@googlegroups.com, phps...@googlegroups.com
I'll take an intro email over moving the moon ;)
Jeremy Hutchings here ..... though most people know me as Jerry and from the original gang that worked on vBulletin, though now I'm the technical dictator ... err director for metrolyrics.com which is part of the CBSi group of sites (zdnet, cnet, and loads of others).
CBSi is standardising on PHP, so it's getting taken very seriously here. Also I've worked in government and military environments and they (and I) tend to take security seriously, so I'm all for doing what I can to move PHPs moon.
------
I can see "how far down the rabbit hole do you want to go" approach maybe working.
level 0 - 1 page of uber simple things and common mistakes (like the w3schools link below) that should of gone away 5-10 years ago.
level 1 - How aspects of the language itself can be used in a better manner (e.g. I was talking to a 'expert' PHP developer recently who didn't know about filters etc http://www.php.net/manual/en/intro.filter.php)
level 2 - Things like http://www.hardened-php.net/suhosin/ and the history of some of the issues in PHP (for when the Ruby crowd start quoting code from 1998).
level 3 - systems architecture, different servers, private LANs, what really is "trusted" etc.
Just a thought ....
Sky Gunning
Sep 5, 2012, 1:53:48 AM9/5/12
to se...@googlegroups.com, phps...@googlegroups.com
Hello
Im very interested in this subject and will gladly follow what you all have to say and perhaps even write a fiew things.
Its a complicated subject ass you all know.
I create website for some time now and i still do some stupid things with security like put the "salt" in the user table...
Only recently realised that it had no sense.
My point is : PHP world need people to talk about security and introduce it.
Regards.
Im very interested in this subject and will gladly follow what you all have to say and perhaps even write a fiew things.
Its a complicated subject ass you all know.
I create website for some time now and i still do some stupid things with security like put the "salt" in the user table...
Only recently realised that it had no sense.
My point is : PHP world need people to talk about security and introduce it.
Regards.
Pádraic Brady
Sep 5, 2012, 5:52:05 AM9/5/12
to se...@googlegroups.com, phps...@googlegroups.com
Hi Richard,
Every little helps. Yes, articles like the one you reference are a big problem. It's also an issue in the PHP manual itself at times. For example, a section on using HTTP with internal functions (when allow_url_fopen is on) shows how to make a HTTPS request (in an insecure way) and never shows the correct way.
Perhaps we need some sort of checklist encompassing common mistakes that such articles/docs make? Something like that would be easily accessible, reusable by the public, and raise awareness that articles do make errors.
Paddy
Every little helps. Yes, articles like the one you reference are a big problem. It's also an issue in the PHP manual itself at times. For example, a section on using HTTP with internal functions (when allow_url_fopen is on) shows how to make a HTTPS request (in an insecure way) and never shows the correct way.
Perhaps we need some sort of checklist encompassing common mistakes that such articles/docs make? Something like that would be easily accessible, reusable by the public, and raise awareness that articles do make errors.
Paddy
Pádraic Brady
Sep 5, 2012, 6:05:15 AM9/5/12
to se...@googlegroups.com, phps...@googlegroups.com
Hi Wayne,
I hope that once things kick off, we'll have a list of active security-related projects/sites that would love to get some contributors/writers. Being a non-expert isn't necessarily a barrier. I'm a self-taught programmer myself so if you find yourself interested in a specific security topic there are outlets for writing about it, and plenty of sources online you can research (likely not PHP specific but the basics are identical across all programming languages).
It's not as difficult as it appears to get up to date on a specific topic - just requires some reading and a willingness to pass it on to fellow PHP programmers. Sites like OWASP, Wikipedia and WASC (webappsec.org) do a decent job of giving briefer overviews as a stepping stone.
If you want to start smaller - use Twitter. The #xss, #appsec, #sqli, #websec, #security, #csrf and other tags will drag up lots of people tweeting on the topic. You could create a custom search/filter for those tags in your client and retweet/read those of interest. Raising awareness in your social circle is actually a huge positive! It also shows how often these issues go public - something many programmer underestimate.
Paddy
I hope that once things kick off, we'll have a list of active security-related projects/sites that would love to get some contributors/writers. Being a non-expert isn't necessarily a barrier. I'm a self-taught programmer myself so if you find yourself interested in a specific security topic there are outlets for writing about it, and plenty of sources online you can research (likely not PHP specific but the basics are identical across all programming languages).
It's not as difficult as it appears to get up to date on a specific topic - just requires some reading and a willingness to pass it on to fellow PHP programmers. Sites like OWASP, Wikipedia and WASC (webappsec.org) do a decent job of giving briefer overviews as a stepping stone.
If you want to start smaller - use Twitter. The #xss, #appsec, #sqli, #websec, #security, #csrf and other tags will drag up lots of people tweeting on the topic. You could create a custom search/filter for those tags in your client and retweet/read those of interest. Raising awareness in your social circle is actually a huge positive! It also shows how often these issues go public - something many programmer underestimate.
Paddy
Sky Gunning
Sep 5, 2012, 6:22:28 AM9/5/12
to se...@googlegroups.com, phps...@googlegroups.com
That website : webappsec.org
Its very good !
Thx for the information.
I read OWASP already, but webappsec have some very nice articles !
Sky
Its very good !
Thx for the information.
I read OWASP already, but webappsec have some very nice articles !
Sky
Pádraic Brady
Sep 5, 2012, 6:44:51 AM9/5/12
to se...@googlegroups.com, phps...@googlegroups.com
Hi Jeremy,
On Wednesday, 5 September 2012 00:55:25 UTC+1, Jeremy Hutchings wrote:
Yes, it does seem a bit easier ;).
Welcome to list, Jeremy ;). Hopefully, this TG will go some way to promoting better security awareness in PHP at large. I know that most of what I build depends on the core language, frameworks, and stacks of libraries/bundles/modules. The tools we develop with are not necessarily ones we directly control anymore. I suppose we should blame Github for that one. It's made small dependencies popular again and created new risks (more deps means we need something like Composer to entrust their management to).
It's a good list. It'll likely become clear which levels are being covered at present and from there we can look at what needs new/better coverage. The TG is a fairly modest endeavor so I don't want to overburden us with commitments. Everyone here is free to pick and choose how they want to contribute, and to what extent, but knowing the gaps in the above is certainly important once we have goals/deliverables agreed (assuming we intend achieving something :)).
Paddy
On Wednesday, 5 September 2012 00:55:25 UTC+1, Jeremy Hutchings wrote:
I'll take an intro email over moving the moon ;)
Yes, it does seem a bit easier ;).
Jeremy Hutchings here ..... though most people know me as Jerry and from the original gang that worked on vBulletin, though now I'm the technical dictator ... err director for metrolyrics.com which is part of the CBSi group of sites (zdnet, cnet, and loads of others).CBSi is standardising on PHP, so it's getting taken very seriously here. Also I've worked in government and military environments and they (and I) tend to take security seriously, so I'm all for doing what I can to move PHPs moon.
Welcome to list, Jeremy ;). Hopefully, this TG will go some way to promoting better security awareness in PHP at large. I know that most of what I build depends on the core language, frameworks, and stacks of libraries/bundles/modules. The tools we develop with are not necessarily ones we directly control anymore. I suppose we should blame Github for that one. It's made small dependencies popular again and created new risks (more deps means we need something like Composer to entrust their management to).
I can see "how far down the rabbit hole do you want to go" approach maybe working.level 0 - 1 page of uber simple things and common mistakes (like the w3schools link below) that should of gone away 5-10 years ago.level 1 - How aspects of the language itself can be used in a better manner (e.g. I was talking to a 'expert' PHP developer recently who didn't know about filters etc http://www.php.net/manual/en/intro.filter.php)level 2 - Things like http://www.hardened-php.net/suhosin/ and the history of some of the issues in PHP (for when the Ruby crowd start quoting code from 1998).level 3 - systems architecture, different servers, private LANs, what really is "trusted" etc.Just a thought ....
It's a good list. It'll likely become clear which levels are being covered at present and from there we can look at what needs new/better coverage. The TG is a fairly modest endeavor so I don't want to overburden us with commitments. Everyone here is free to pick and choose how they want to contribute, and to what extent, but knowing the gaps in the above is certainly important once we have goals/deliverables agreed (assuming we intend achieving something :)).
Paddy
Pádraic Brady
Sep 5, 2012, 6:48:52 AM9/5/12
to se...@googlegroups.com, phps...@googlegroups.com
I think you just became the TG's first concrete success too :P.
Yes, it's quite a good website and some of its articles are better than OWASP's depending on the topic. The main issue programmers have with them, I believe, is that they lack a dedicated PHP perspective which limits their usefulness. I've been working on that problem so that its success can be replicated in PHP. Doubtlessly I'll bring that up when we get around to discussing available resources for PHP programmers looking for credible security info.
Paddy
Yes, it's quite a good website and some of its articles are better than OWASP's depending on the topic. The main issue programmers have with them, I believe, is that they lack a dedicated PHP perspective which limits their usefulness. I've been working on that problem so that its success can be replicated in PHP. Doubtlessly I'll bring that up when we get around to discussing available resources for PHP programmers looking for credible security info.
Paddy
Pádraic Brady
Sep 5, 2012, 7:04:25 AM9/5/12
to se...@googlegroups.com, phps...@googlegroups.com
Hey Sky,
On Wednesday, 5 September 2012 06:53:48 UTC+1, Sky Gunning wrote:
Very true. Though this is where the weirdness begins with PHP. We have no shortage of people talking/writing about security. The problem is that they too often get it wrong. The voices of those who have valuable knowledge are being drowned out and lost. If the only thing the TG achieves is to provide a better route to peer-reviewed information, then we win. We need to grab programmers before they get lost, show them where great information is, and give them an advantage in spotting bad advice.
It IS a bit of a puzzle, I know. The TG's goal (or at least a proposed one since I am NOT your dictator) is not simply to create information but to emphasise good information. Creation is a far more time consuming task - I don't expect dozens of TG members to do that. Publicising good information, on the other hand, is a far easier objective for many - blog, tweet, RSS feeds - low hanging fruit that can have an immediate impact.
Paddy
On Wednesday, 5 September 2012 06:53:48 UTC+1, Sky Gunning wrote:
Hello
My point is : PHP world need people to talk about security and introduce it.
Very true. Though this is where the weirdness begins with PHP. We have no shortage of people talking/writing about security. The problem is that they too often get it wrong. The voices of those who have valuable knowledge are being drowned out and lost. If the only thing the TG achieves is to provide a better route to peer-reviewed information, then we win. We need to grab programmers before they get lost, show them where great information is, and give them an advantage in spotting bad advice.
It IS a bit of a puzzle, I know. The TG's goal (or at least a proposed one since I am NOT your dictator) is not simply to create information but to emphasise good information. Creation is a far more time consuming task - I don't expect dozens of TG members to do that. Publicising good information, on the other hand, is a far easier objective for many - blog, tweet, RSS feeds - low hanging fruit that can have an immediate impact.
Paddy
Sky Gunning
Sep 5, 2012, 7:09:24 AM9/5/12
to se...@googlegroups.com, phps...@googlegroups.com
Perhaps a blog like http://www.planet-php.net/
Just reference "good" content.
Its still a bit of work, but i myself like very much this king of blog.
Make new information about one subject quick to access.
Just a idea.
Sky
Just reference "good" content.
Its still a bit of work, but i myself like very much this king of blog.
Make new information about one subject quick to access.
Just a idea.
Sky
Pádraic Brady
Sep 5, 2012, 7:35:43 AM9/5/12
to se...@googlegroups.com, phps...@googlegroups.com
Hi Sky,
Yes, that's one possibility. We could also aggregate from, with permission, other sources exposing RSS feeds. It would also not be hard to tell PHP programmers that if writing about security, they can register their blog and a tag/category to aggregate.
Peer reviewing probably wouldn't be a realistic goal - though we could obviously remove feeds with too much noise/poor quality information.
I'll bring it up again when get to proposing specific steps to take. If someone can supply a template design (I'm not a designer - being a backend app guy), I can easily build out a simple backend hooked into Superfeedr or something.
Paddy
Yes, that's one possibility. We could also aggregate from, with permission, other sources exposing RSS feeds. It would also not be hard to tell PHP programmers that if writing about security, they can register their blog and a tag/category to aggregate.
Peer reviewing probably wouldn't be a realistic goal - though we could obviously remove feeds with too much noise/poor quality information.
I'll bring it up again when get to proposing specific steps to take. If someone can supply a template design (I'm not a designer - being a backend app guy), I can easily build out a simple backend hooked into Superfeedr or something.
Paddy
Timo H
Sep 5, 2012, 8:55:05 AM9/5/12
to se...@googlegroups.com, phps...@googlegroups.com
This is an important topic you guys are bringing up. It just should have started alot earlier ;)
"The voices of those who have valuable knowledge are being drowned out and lost", this is exactly one of the biggest problems we have. Look at password hashing for example, it has been common and public knowledge on the field (at least nearly 20 years) how to "do it properly": http://seclists.org/bugtraq/1995/Apr/143 but yet still average developers are not aware of the facts surrounding password hashing.
I think http://phpsecurity.readthedocs.org/en/latest/index.html is a really good central starting point. Keep extending it and add links to valuable external sources. Good job there.
Also, I'd like to emphasize the "mental mindset" about secure software development. It is a way underrated topic. It should not be just only cryptographers who think this way :)
Regards,
Timo
http://timoh6.github.com/
"The voices of those who have valuable knowledge are being drowned out and lost", this is exactly one of the biggest problems we have. Look at password hashing for example, it has been common and public knowledge on the field (at least nearly 20 years) how to "do it properly": http://seclists.org/bugtraq/1995/Apr/143 but yet still average developers are not aware of the facts surrounding password hashing.
I think http://phpsecurity.readthedocs.org/en/latest/index.html is a really good central starting point. Keep extending it and add links to valuable external sources. Good job there.
Also, I'd like to emphasize the "mental mindset" about secure software development. It is a way underrated topic. It should not be just only cryptographers who think this way :)
Regards,
Timo
http://timoh6.github.com/
Reply all
Reply to author
Forward
0 new messages