After posting Simple XSS Vulnerability according to my site stats, it seems there is a large number people interested in PHP security, more so than any other topic I have blogged about. Since I am no security expert I thought I would provide a few links to some quality resources on the net.
One of the best resources is the PHP Security Consortium, where you can find the PHP Security Guide. It is published in three different formats (HTML, PDF, DocBook Lite) and four different languages (English, French, Romanian, Serbian). They also publish their own articles and have a links library to numerous articles on other sites.
The founder of the PHP Security Consortium is Chris Shiflett, who has published a few books (including Essential PHP Security). He, of course, also has his own website where you will find the PHP & Web Application Security Blog along with numerous articles. While gathering the links for this post, I found an excellent article about XSS (Foiling Cross-Site Attacks).
Another well-known PHP security expert is Ilia Alshanetsky, creator of FUDforum. He has published php|architect’s Guide to PHP Security, and runs his own blog.
If you haven’t yet heard about the Hardened-PHP Project, it is well worth checking out. There you will find Suhosin, an advanced protection system for PHP installations. Also the Hardening patch, a patchset that adds security hardening features to PHP to protect your servers on the one hand against a number of well known problems in PHP applications and on the other hand against potential unknown vulnerabilities within those applications or the PHP core itself. This is also the team that brought us the Month of PHP Bugs in March ‘07.
An outspoken member of the Hardened-PHP Project is Stefan Esser, formerly a member of the php.net’s Security Response Team. Stefen Esser used to have the most active PHP security blog (PHP Security Blog), but for unknown reasons the blog has not been updated for several months.
I know there are numerous other PHP security resources on the net, but I am hoping that these links will help get you started on finding quality PHP security resources. If anyone has other sources which you frequently use please post the URL in a comment.
PDF
