Interview: Chris Shiflett of Essential PHP Security

This is the third in a series of interviews we're making available to the CodeSnipers community. We have been working to track down people who we thought had something valuable to say about the software development community, tools, practices, or direction. Some of the names you will recognize immediately, others you've probably never heard of, but all of them have made an impact in one way or another. Without further delay... we have Chris Shiflett author of Essential PHP Security.

Security is one of those things that many developers think to "bolt on" after the main system has been developed. What is the proper way to think about web application security?

Security isn't much different than other abstract concerns such as performance, maintainability, and reliability. None of these characteristics can be added very easily to an existing application - they need to be considered during every stage of development. (It's like trying to add wisdom to a child.)

They're also difficult to measure. The measure of an application's security is its ability to predict and prevent security problems before they are exploited. It's an ongoing process that begins with a solid design.

Your book Essential PHP Security is obviously focused on PHP. Are there specific security concerns or strengths in PHP compared to other languages?

PHP provides you with enough rope to hang yourself. It's not only extremely flexible, but also easy to learn, and this can be a dangerous combination.

However, security is more a characteristic of a developer than a characteristic of a language, and web application exploits are rarely platform-dependent. Essential PHP Security shows you how to develop secure PHP applications, but the topics it covers are relevant to any web development platform.

When you perform a security audit, what sorts of things do you investigate first?

I always begin by analyzing the application's design, organization, and purpose. My priority during this process is to better understand the application, because every application's needs are different.

Once I begin examining the source, I focus on failures to filter input or escape output. To do this, I take two overlapping approaches:

1. Identify input, and trace it forward.

2. Identify output, and trace it backward.

These steps yield tree diagrams that allow me to effectively track data as it's used throughout the application.

If web developers do exactly one thing to improve security, what would be on the top of your wishlist?

Escape output.

I am happy to note an increased awareness of the importance of filtering user input (although the attention needs to be on all input, not just data from the user), but most vulnerabilities are a result of a failure to escape output.

For example, the top two web application security vulnerabilities are cross-site scripting (XSS) and SQL injection, and these are a result of sending tainted data to the client and sending tainted data to a database, respectively. Because these are the predominant remote sources with which web applications communicate, this is hardly surprising.

How does AJAX change security? Are developers prepared for it?

Ajax affects the web application security discipline in two ways:

1. It has the potential to create new vulnerabilities. For example, a developer might not properly enforce access control on Ajax requests, creating backdoor opportunities. In addition, developers who lack a basic understanding of HTTP are more likely to unintentionally expose data when adding Ajax features to applications that handle sensitive data.

2. It has the potential to revive old vulnerabilities. Within the next few years, we're certain to see much more advanced cross-site scripting (XSS) attacks emerge, because client-side technologies are getting more and more sophisticated. The popularity of Ajax will also generate an increased number of attackers who possess a rich understanding of client-side technologies. In other words, Ajax won't make cross-site scripting (XSS) vulnerabilities more likely, but it will make them more dangerous.

Have you ever seen something that made you consider giving up software and live in a tree?

Not yet. :-)

What resources do you recommend to keep up to date on web application security concepts, concerns, and examples?

The PHP Security Consortium is probably the best source of such information, and its library contains links to many other relevant resources.

I also maintain a few other web sites that might be helpful:

http://brainbulb.com/
http://phpsecurity.org/
http://shiflett.org/

You are highly active in the PHP community in a variety of ways. Which has been your favorite so far? What have you learned from your involvement?

I think speaking at conferences has been my favorite contribution, because I get to meet so many people from the PHP community. The Internet is great for bringing people together, but it also sucks the personality out of us.

I doubt I can properly express all that I've learned over the years. The PHP community is a very supportive and sharing group of people, and I think we all tend to learn a lot as a result.

Is there anything that you'd like the CodeSnipers community to know about yourself, your projects, or life in general that I've missed?

I can't think of anything. :-)

About Chris Shiflett: He is the founder and President of Brain Bulb, a PHP consultancy that offers a variety of services to clients around the world. Chris is a leader in the PHP community, and his involvement includes being the founder of the PHP Security Consortium, the founder of PHPCommunity.org, a member of the Zend PHP Advisory Board, and an author of the Zend PHP Certification. A prolific writer, Chris has regular columns in both PHP Magazine and php|architect. He is also the author of the HTTP Developer's Handbook (Sams) as well as the critically acclaimed Essential PHP Security (O'Reilly).