Security is a topic dear to my heart. It’s core to enabling the privacy of many billions of web citizens. We, as web craftspeople, have a duty and responsibility to care for, prioritise and make decisions that benefit our customers, clients, friends and family online. However we so often fall short of the mark either by time, knowledge or the sheer energy it can take. Building secure software can be hard.
When we get security wrong – either by laziness or neglect – the implications can be huge. We’ve seen high profile and high impact breaches like Ashley Madison and it’s with mild irony that I share my thoughts on security on the same day that yahoo shares 1 billion+ user accounts were breached. While each breach and vulnerability might be unique in its own right, it shows us what can happen when things go badly. The recent DDoS against Dyn also demonstrated the sheer scale that the insecure-internet of things has and its ability to be harnessed as a security threat against us. You might not consider PHP to be a popular language for embedded hardware & IoT, but the commonality is the lack of attention to security.
We, as craftspeople of 82.4% of the internet have a crucial role in fixing the security mindset of our community.
As a language, we are getting better. We’ve removed features that perpetuated set-and-forget mindsets, chosen smart and secure defaults, and even removed the ability for ourselves to make insecure decisions.
As a community however, we’re significantly falling short of the mark. In my recent state of the version post I show that – at a best-guess – a maximum of 40% of PHP installs in the wild can be considered probably-secure, leaving over 60% insecure.
A majority 60% of insecure installs merely perpetuates the levels of contempt culture towards PHP as a language and our community at large.
However, my friends and phpellow coders, security is everyone’s responsibility, not just a mailing list on internals.
Bad advice is everywhere, and it’s not helping us. And yet there are also some fantastic resources at our disposal too!
- Familiarise yourself with the OWASP top 10. Read it again and then start to add tests and processes to improve your application over time.
- Read PHP The Right Way – Security. Read it again, and follow it.
- Pick conferences sessions about security. I find Tom Eastman’s The dangerous, exquisite art of safely handing user-uploaded files a great start.
- Familiarise yourself with the PHP Manual – security guide.
- Keep your installations up to date and patched. Follow the PHP migration guides Plan for new versions of PHP and prioritise time to update.
- Take a look at the CVE list and start to understand some of the vulnerabilities that occur.
So here’s my call to arms: let’s make 2017 the year of the responsible, security-minded developer.