Brandon Savage has written up a look at the Suhosin patch for PHP (a project lead by Stefan Esser), what it can do for your PHP installation and his opinion on the benefits.

Last week, I received an email from someone who told me how the Suhosin patch had created problems for their team, and suggested that I write about it here. I thought this was a great idea, for a number of reasons. Particularly, Suhosin is one of those PHP patches that alters the way PHP operates in a fundamental fashion, yet also is installed by default in many places (for example, Ubuntu compiles this patch in by default on their installation).

He talks about some of the features it includes - disabling eval, not allowing for remote includes, makes it possible to modify the memory limit per script and allows you to set limits on the length of REQUEST arrays. He notes that, while the Suhosin patch is a good thing and can make a real difference in your application, it's by no means a requirement to creating a secure application (and shouldn't be used as a replacement for such).

There's also an interesting comment from Stefan Esser himself on the comments Brandon made in the post.

The ThinkPHP blog points out a recorded (German-only) webinar that Stefan Esser did covering the creation of secure LAMP applications.

Unfortunately, this Webinar was in German, but if you understand German you might be interested in the Webinar recording which is now available at MySQL's website.

The webinar looks at previous attack types, things that MySQL already includes to help prevent SQL injections, handling multi-byte caharacters and correct error handling.

Two bloggers have commented on the recent nomination of Stefan Esser to eWeek's "Top 100 Most Influential People in IT" - Ben Ramsey and Stas (on the PHP 10.0 Blog).

Ben congratulates Stefan for the nomination, for making the list when others in the PHP community didn't.

Stas, on the other hand, disagrees a bit with some of the comments made by the reporter that wrote up Stefan's piece:

I do not see how reporting a bunch of vulnerabilities (most of them fixed by the time of publication - for which thanks to Stefan Esser as the responsible reporter) is "thoroughly exposing the insecure nature of PHP". Bugs and bug reports - including ones that may affect security in one way or another - are nothing but commonplace in both open-source and non-open-source software worlds.

You can check out the full list for yourself on the eWeek site.

As the ThinkPHP blog points out today, Stefan Esser has been named one of the "15 Most Influential People in Security Today" by eWeek.

If there's a security hole in PHP, chances are it was found by Stefan Esser, an open-source security specialist. Esser's advisories about flaws in Linux, NetBSD, Samba, Ethereal, CVS, Subversion, MySQL and PHP are legendary. [...] His "Month of PHP Bugs" project thoroughly exposed the insecure nature of the widely deployed PHP language and forced a rethink about security in the open-source world.

Check out the slideshow for other people in the list including Michal Zalewski of Google and Ivan Krstic of the "One Laptop Per Child" project.

On the PHP Security Blog today, Stefan Esser points out an interview he did with BlogSecurity concerning the current state of security on the WordPress software.

In the Interview they talk about several different aspects and security-related concerns including:

• a previous critical SQL injection vulnerability in WordPress
• Esser's general thoughts on the software
• his recommendations for the WordPress team
• improvements and suggestions for other blogging software he has

Check out this post on the BlogSecurity site for the complete interview.

The ThinkPHP Blog has some new information posted about a collaboration between the Mayflower Group and Stefan Esser (and the Hardened-PHP Project) to create SektionEins.

SektionEins specializes in Web Application Security, supporting every web platform available out there. Of course there is some special knowledge in the area of PHP included and the Chorizo and Consulting experience does add a lot of Web2.0 knowhow.

With SektionEins both Suhosin and Chorizo found a new home. And so does Web Application Security.

Currently, the new service hasn't launched yet, but you can enter your email address to be notified when it's open for business.

Jeremy Privett is back with a few more thoughts on the PHP community, specifically focused on one developer - Stefan Esser.

Just reading the title of the entry through my Live Bookmarks in Firefox, I can't help but think "Thank you, Stefan, for fixing a security vulnerability in PHP and making the language that I love that much more solid and secure." - Okay, maybe that was a bit of an exaggeration, but it needs to be said that Stefan Esser does do PHP a good service through finding and reporting these kinds of vulnerabilities.

He goes on to talk about the other side of the situation, the actions of Esser that could lead to this sort of situation:

I know he's got his reasons for having issues with the developers, and if everything he's constantly ranting and raving about is indeed true, all the more reason to have issues. But do not lower yourself to their level, if that's the case. Constantly and consistently belittling PHP Developers and Zend Employees, whether on your blog or in the PHP Internals list itself, does not make you any better than them.

Jeremy suggests that these sort of actions (and reactions) aren't helping the PHP community step up to become seen as a more "Enterprise quality" language.

Frank Lopez has tipped us off to a new article over on the ComputerWorld website of an interview by Howard Dahdah with Stefan Esser about the recently passed Month of PHP Bugs project he's just wrapped.

Last month, Stefan Esser, an independent security consultant and a founder of both the Hardened-PHP Project and PHP Security Response Team (which he has since left), launched his Month of PHP Bugs as a way of improving the security of PHP by outing flaws in its source code.

Making himself a target for criticism through this undertaking (the PHP developer community is a spirited bunch), Esser was surprised at the positive feedback he received at the conclusion of the project. He speaks here with Howard Dahdah.

They talk about the outcome of the project, what he (Esser) thinks he's achieved, what kind of feedback he's gotten about it, and what kind of impact this should have on the opinions the use of PHP for businesses and developers all across the community.

Over on the SecurityFocus website, there's an interview posted with Stefan Esser of the Hardened-PHP Project (as interviewed by Federico Biancuzzi.

Federico Biancuzzi discussed with him how the PHP Security Response Team works, why he resigned from it, what features he plans to add to his own hardening patch, the interaction between Apache and PHP, the upcoming "Month of PHP bugs" initiative, and common mistakes in the design of well-known applications such as WordPress.

Some of the topics discussed include

• the Hardened-PHP Project
• Suhosin
• the PHP Security Response Team (his role in it and why he left)
• PHP5's security focus versus PHP4's
• and more...

Ilia Alshanetsky posts today about the proposed "Month of PHP bugs" that Stefan Esser is proposing:

It would be interesting to see what issues he discovers, hopefully most of them have already been reported to the PHP Security Team, in which case the upcoming 5.2.1 release will provide a resolution path for affected users.

Hopefully, as Ilia states, the bugs will not turn out to be zero-day vulnerabilities and will instead be smaller issues. Either way, a bug-fix patch will probably soon follow.

Either way, I have to look at this as a free security audit of PHP by someone with a clue about security and ultimately, in the long run it will only make PHP better, even if March is going to be rather busy.