A quick look at the analytics of the symfony website tells us a lot about what people need in addition to the symfony core. Here is the top 20 plugins based on the number of page views of the corresponding wiki pages in the last 30 days.

Among those on the list are things like:

• sfSimpleCMSPlugin
• sfSimpleBlogPlugin
• sfControlPanelPlugin
• sfCaptchaPlugin
• sfPropelLoadbalancerPlugin

Check out the full list for other great plugins that made it into the Top 20.

What follows is a breakdown of the 20 PHP-based applications that had the highest aggregate vulnerability scores (NIST assigns a score from 1-10 for the severity of each entry), and the highest total number of vulnerabilities, over the past 12 months. Of the two, I feel that the aggregate score is a better indicator of security issues.

The Excel charts show the total NVD score and the total number of NVD entries for several popular PHP applications (like phpBB, phpMyAdmin, TikiWiki, and Joomla). He also notes that there are some other extenuating circumstances surrounding these numbers (not a level line) and that the trend seems to be more on the side of issues with forums than any other type of PHP application.

Of course you can debate how such a Top list came together and what the real value behind that is, but there are two specific points in this year's list that I found quite interesting.

There's two targets for the PHP community to worry about - sysadmin/hosting and things developers need to keep in mind. Items on these lists include:

• Always test and deploy patches and new versions of PHP as they are released
• Use Intrusion Prevention/Detection Systems to block/alert on malicious HTTP requests. Consider using Apache's mod_security to block known PHP attacks
• If you use PHP, migrate your application to PHP 5.2 as a matter of urgency.
• Encode all output using htmlentities() or a similar mechanism to avoid XSS attacks