Many users run older versions of the platform Overseers of PHP (Hypertext Preprocessor) are conscious of security concerns with the language and are working to address any problems, one of the developers of PHP said on Tuesday afternoon.Security is a tough issue, acknowledged PHP platform developer Ilia Alshanetsky in a presentation Tuesday afternoon at the ZendCon conference in Burlingame, Calif.“Lately, it seems like you solve one security problem, you get five in its place,” he said. Meanwhile, security changes can frustrate developers because fixes can result in taking away functionality developers liked, Alshanetsky added. But attention has been drawn to PHP through whistle-callers such as security expert Stefan Esser, who publicized issues in his “Month of PHP bugs” postings. The list Esser found, however, was not something that would compromise an application; most were local vulnerabilities such as enablement of a hostile user on a system, said Alshanetsky.Coverity, Alshanetsky said, did an analysis of the PHP code base but 95 percent of the issues found were false positives, he said. Nonetheless, PHP overseers are tracking security, have made some fixes, and realize there is more to do, he said. Esser, for his part, got people thinking about security, Alshanetsky said.(Coverity on Wednesday said the rate of false positives was 27 percent with 127 defects marked false out of 469 defects to date. A company official said Coverity runs an analysis of PHP code on a daily basis. PHP developers have fixed 334 defects identified by Coverity’s Scan project since March 2006, according to Coverity.) Alshanetsky also said PHP developers worked with Coverity to change the way code initially was scanned, which reduced the number of false positives dramatically.Testing of PHP is increasing from release to release, but the reality is 90 percent of bugs never get reported, said Alshanetsky. The technique of fuzzing has been used to identify problems by automating the process of finding mistakes. Bugs found have not been platform-specific, Alshanetsky said. Security enhancements being made to PHP include added internal protection to reduce consequences of buffer overflows, enabling the memory limit and adding a nesting limit on input arrays. The safe_mode function for regulating file access has been removed in the upcoming PHP 6 release because it was easy to find a way to bypass that filter, Alshanetsky said.“Obviously, with security there is still a lot of work to do and a lot of things we need to improve on,” Alshanetsky said. One concern is that about 78 percent of PHP users run an older version of the language, PHP 4. Many use Version 4.3.10, which is known to have 30 to 40 vulnerabilities, he said.Improvements eyed include improving code coverage as far as the percentage of code being examined. Manual code auditing also needs to be done, Alshanetsky said. Also suggested have been faster release cycles to provide fixes quicker and more security features. The PHP team is striving to communicate more rapidly with persons reporting security issues and to be more open in terms of expected resolution, Alshanetsky said. More informative news announcements regarding security are needed, as is better interaction with security researchers, he said. SecuritySoftware Development