Ed Finkler is also a primary developer on the PHPSecInfo project, an effort to help bring a baseline of security to developers and their applications:

PhpSecInfo provides an equivalent to the phpinfo() function that reports security information about the PHP environment, and offers suggestions for improvement. It is not a replacement for secure development techniques, and does not do any kind of code or app auditing, but can be a useful tool in a multilayered security approach.

Check out some of Ed's own comments about the interview in this new blog entry.

The presentation [pdf] looks at the state of PHP development, the parties involved (including the "deployer") and the use of the PHPSecInfo application to help said "deployer" find issues they might miss otherwise. Of course, there's also a section on getting PHPSecInfo up and working on your system (you can unzip, right?) and other add-ons you can use to help avoid questions down the line (like the use of the Zend_Environment security module in the Zend Framework to test security).

Check out the PDF here and keep an eye on his blog for an upcoming video of the presentation.

UPDATE: he's also posted the audio for the presentation as well - grab the mp3.

PHPSecInfo is a great tool to use to keep an eye on your production environment. It was written by Ed Finkler of CERIAS, the Center for Education and Research in Information Assurance and Security at Purdue University. It is officially a project of the PHP Security Consortium.

The tool allows you to easily run a security audit against your system and find the issues in a familiar phpinfo() style of result. Remember, it's a starting place - not an ending one. Security is more than just running a script to check once and a while.

The major changes in this version [zip] include:

• "More info" links to give you details on the specified issue
• CSS/layout changes to make understanding the results simpler
• a new test - PhpSecInfo_Test_Session_Save_Path
• and more...

New release, new plans! First off, a new build of PHPSecInfo is out. Version 0.1.2, build 20061218. Per usual, get your new version from http://phpsec.org/projects/phpsecinfo/.

New features include:

• Code is now licensed under '�New BSD'� license. See LICENSE
• fix bug in post_max_size check where upload_max_size value was being checked
• Now providing an md5 hash for releases

If you'd like to contribute tests or other resources to the project, head over to its homepage and let them know.

Intrigued as much by this project, as I was by the fact that Ed wrote me and told me it was time for me to interview him, I called Ed and we talked about the project.

They talk about where the idea for the tool came from, one of the targets for the use of the project (those on shared hosting), and the mention that it is modular in design and they are more than happy to have developers work up tests to be sure things are working 100% correctly.

Ed Finkler of the PHP Security Consortium has launched a new project to help developers and system administrators audit PHP environments. PHPSecInfo provides a simple-to-use security audit system for the PHP environment, with a look and feel similar to that of the phpinfo() function.

PHPSecInfo currently has a suite of 16 tests. Interested PHP developers are encouraged to propose and write new tests for consideration as well as help refine the existing test suite. You can find contact information for Ed Finkler and any member of the PHP Security Consortium online at http://phpsec.org/contact/.

The development of the project is being partially sponsored by CERIAS at Purdue University. There's an example of the output from the script and a download dated for the beginning of August. Contributions are welcome and accepted, especially in certain areas like documentation, test writing, suggestions, and feedback.