It may seem odd to see PHP and APPSEC mentioned in the same sentence. Unfortunately, PHP has been the victim of a lot of bad press over the years in terms of both security and syntax. Despite that, PHP still asserts itself in pretty much every industry that uses web technologies.
I've been a fan of PHP since the Personal Home Page days because of its familiar syntax, decent performance and easy integration with the best web servers out there. It has its issues, but what doesn't?
Unfortunately, that same low barrier-of-entry for PHP allows inexperienced developers act like engineers and publish insecure code. These developers may be developing useful stuff, but they simply don't understand security.
So, how do you continue to use PHP? Even more concerning, how do you continue to allow your customers to use PHP?
Over the past several months, I've been working with a combination of Suhosin, mod_security, and other security tools (see my Top 5 Apache and PHP Security Modules post). While a lot has been written about mod_security, Suhosin is pretty interesting and not praised nearly enough. Suhosin is a hardening module installed as a plugin to PHP, and included in most Linux distributions.
Suhosin essentially enforces many PHP best practices. For example, you can prevent silly things like calling includes or curl in an eval(). You can even force PHP to run a script when any file is uploaded (think: virus scanner). However, be warned: like other security modules, you'll need to fine-tune the configuration or your customers will scream.
Suhosin, mod_php, and other such applications mask the problems and don't replace smart software development. Static source code analysis tools, penetration testing and vulnerability assessment tools will always have their place, but it doesn't hurt to buy some really effective (and free) insurance.
Lee V. Mangold is an information security researcher, author, student, entrepreneur and self-professed INFOSEC evangelist. He currently a senior researcher and network operations manager for a US Department of Defense contractor.