In a new installation of the Pro::PHP Podcast just released, Paul Reinheimer sits down and talks with Ed Finkler, "web and security archive administrator".

Ed Finkler is also a primary developer on the PHPSecInfo project, an effort to help bring a baseline of security to developers and their applications:

PhpSecInfo provides an equivalent to the phpinfo() function that reports security information about the PHP environment, and offers suggestions for improvement. It is not a replacement for secure development techniques, and does not do any kind of code or app auditing, but can be a useful tool in a multilayered security approach.

Check out some of Ed's own comments about the interview in this new blog entry.

In a new installation of the Pro::PHP Podcast just released, Paul Reinheimer sits down and talks with Ed Finkler, "web and security archive administrator".

Ed Finkler is also a primary developer on the PHPSecInfo project, an effort to help bring a baseline of security to developers and their applications:

PhpSecInfo provides an equivalent to the phpinfo() function that reports security information about the PHP environment, and offers suggestions for improvement. It is not a replacement for secure development techniques, and does not do any kind of code or app auditing, but can be a useful tool in a multilayered security approach.

Check out some of Ed's own comments about the interview in this new blog entry.

Ed Filnker has posted a note about the slides that he presented as a part of the 8th Annual CERIAS Information Security Symposium.

The presentation [pdf] looks at the state of PHP development, the parties involved (including the "deployer") and the use of the PHPSecInfo application to help said "deployer" find issues they might miss otherwise. Of course, there's also a section on getting PHPSecInfo up and working on your system (you can unzip, right?) and other add-ons you can use to help avoid questions down the line (like the use of the Zend_Environment security module in the Zend Framework to test security).

Check out the PDF here and keep an eye on his blog for an upcoming video of the presentation.

UPDATE: he's also posted the audio for the presentation as well - grab the mp3.

Ed Filnker has posted a note about the slides that he presented as a part of the 8th Annual CERIAS Information Security Symposium.

The presentation [pdf] looks at the state of PHP development, the parties involved (including the "deployer") and the use of the PHPSecInfo application to help said "deployer" find issues they might miss otherwise. Of course, there's also a section on getting PHPSecInfo up and working on your system (you can unzip, right?) and other add-ons you can use to help avoid questions down the line (like the use of the Zend_Environment security module in the Zend Framework to test security).

Check out the PDF here and keep an eye on his blog for an upcoming video of the presentation.

UPDATE: he's also posted the audio for the presentation as well - grab the mp3.

In the latest security tip from the Zend Developer Zone, Cal Evans points out a tool previously mentioned in passing that he feels deserves its own post - PHPSecInfo.

PHPSecInfo is a great tool to use to keep an eye on your production environment. It was written by Ed Finkler of CERIAS, the Center for Education and Research in Information Assurance and Security at Purdue University. It is officially a project of the PHP Security Consortium.

The tool allows you to easily run a security audit against your system and find the issues in a familiar phpinfo() style of result. Remember, it's a starting place - not an ending one. Security is more than just running a script to check once and a while.

In the latest security tip from the Zend Developer Zone, Cal Evans points out a tool previously mentioned in passing that he feels deserves its own post - PHPSecInfo.

PHPSecInfo is a great tool to use to keep an eye on your production environment. It was written by Ed Finkler of CERIAS, the Center for Education and Research in Information Assurance and Security at Purdue University. It is officially a project of the PHP Security Consortium.

The tool allows you to easily run a security audit against your system and find the issues in a familiar phpinfo() style of result. Remember, it's a starting place - not an ending one. Security is more than just running a script to check once and a while.

The latest version of the popular (and simple) PHP security audit tool, PHPSecInfo, has been released - version 0.2.

The major changes in this version [zip] include:

• "More info" links to give you details on the specified issue
• CSS/layout changes to make understanding the results simpler
• a new test - PhpSecInfo_Test_Session_Save_Path
• and more...

Check out the Changelog for complete information on the update or just head over and download it now.

The latest version of the popular (and simple) PHP security audit tool, PHPSecInfo, has been released - version 0.2.

The major changes in this version [zip] include:

• "More info" links to give you details on the specified issue
• CSS/layout changes to make understanding the results simpler
• a new test - PhpSecInfo_Test_Session_Save_Path
• and more...

Check out the Changelog for complete information on the update or just head over and download it now.

In a new article on the Zend Developer Zone, Ed Finkler talks a bit about the newly released version of the PHPSecInfo package (version 0.1.2) and what some of the future plans for it are.

New release, new plans! First off, a new build of PHPSecInfo is out. Version 0.1.2, build 20061218. Per usual, get your new version from http://phpsec.org/projects/phpsecinfo/.

New features include:

• Code is now licensed under “New BSD” license. See LICENSE
• fix bug in post_max_size check where upload_max_size value was being checked
• Now providing an md5 hash for releases

And some of the plans for the future include more detailed test results, a web-based "glossary" of howtos on fixing problems, and more tests for more cases.

If you'd like to contribute tests or other resources to the project, head over to its homepage and let them know.

In a new article on the Zend Developer Zone, Ed Finkler talks a bit about the newly released version of the PHPSecInfo package (version 0.1.2) and what some of the future plans for it are.

New release, new plans! First off, a new build of PHPSecInfo is out. Version 0.1.2, build 20061218. Per usual, get your new version from http://phpsec.org/projects/phpsecinfo/.

New features include:

• Code is now licensed under “New BSD” license. See LICENSE
• fix bug in post_max_size check where upload_max_size value was being checked
• Now providing an md5 hash for releases

And some of the plans for the future include more detailed test results, a web-based "glossary" of howtos on fixing problems, and more tests for more cases.

If you'd like to contribute tests or other resources to the project, head over to its homepage and let them know.