Christian Wenz's Blog: SANS Top-20 Internet Security Attack Targets (2006 Annual Update)

Mon, 27 Nov 2006 10:03:00 -0600

In a new post on his blog, Christian Wenz mentions the latest results of the SANS Institute's Top 20 Internet Security Attack Targets list which both includes a new entry ("Users") and several mentions of PHP and PHP-related applications.

Of course you can debate how such a Top list came together and what the real value behind that is, but there are two specific points in this year's list that I found quite interesting.

There's two targets for the PHP community to worry about - sysadmin/hosting and things developers need to keep in mind. Items on these lists include:

Always test and deploy patches and new versions of PHP as they are released
Use Intrusion Prevention/Detection Systems to block/alert on malicious HTTP requests. Consider using Apache's mod_security to block known PHP attacks
If you use PHP, migrate your application to PHP 5.2 as a matter of urgency.
Encode all output using htmlentities() or a similar mechanism to avoid XSS attacks

You can check out the full information over on the SANS Institute website.

PHPDeveloper.org

Christian Wenz's Blog: SANS Top-20 Internet Security Attack Targets (2006 Annual Update)