Some of the most influential voices in the PHP community have united on a project to improve the security of the PHP ecosystem.
Under the name of FriendsOfPHP, this group has created a database that includes references and details for known security vulnerabilities affecting various PHP projects and libraries.
The purpose of this database is to provide a giant guide of what versions of what PHP project or library is safe to use or safe to update to.
New project tackles security advisories in the PHP world
This project, known under the simple name of the PHP Security Advisories Database, is slowly starting to become more popular on GitHub.
The PHP Security Advisories Database is also at the heart of the Roave Security Advisories, a Composer-ready PHP library that can be embedded within any PHP project.
“Roave/SecurityAdvisories uses FriendsOfPHP as its data source to build a conflicting set of require statements to prevent insecure dependencies from being installed,” Scott Arciszewski, Chief Development Officer at Paragon Initiative Enterprise, told Bleeping Computer.
This means that any PHP developer can embed this library in his PHP project and prevent the accidental deployment of vulnerable code.
Better protection against unpatched flaws, zero-days
But recently the FriendsOfPHP database got a boost. Following a series of discussions and modifications to the code, the database can now reliably embed information on projects that contain unfixed vulnerabilities [1, 2, 3].
This update means an extra layer of protection against abandoned libraries and the ones affected by zero-days.
Since the updates were made in the FriendsOfPHP database, they also trickled down to the Roave/SecurityAdvisories library as well.
This means the next time PHP developers will attempt to build their project, they’ll get a Composer error if one of the project’s libraries is vulnerable to a yet-to-be-patched flaw.
“More generally, the ‘how to handle advisories for projects that haven’t fixed them yet?‘ question has been answered, so this should become a reliable way to stop people from running vulnerable code,” Arciszewski says.
PHP is getting safer, one small step at a time
While PHP has been the butt of all programming jokes in the past decade for various reasons, there have been strong efforts to improve the language’s performance [1, 2, 3, 4] and security [1, 2].
With the recent work on the FriendsOfPHP database and Roave/SecurityAdvisories projects, it is pleasant to see that PHP developers have slowly started to understand that web applications should also be secure from hackers, and not just a collection of speed optimizations and shiny user interfaces.
“If you think it’s dangerous to install dependencies from projects that responded to vulnerability disclosures with ‘meh‘, add [Roave/SecurityAdvisories] to all your Composer projects today,” Arciszewski adds.