Should enterprises avoid developing applications using PHP? Some say it’s too insecure compared to alternatives.
Research recently released by WhiteHat Security used an automated tool to look at 1,700 websites to see if there was any correlation between the number of security bugs and the programming language used to build the site. The overall conclusion is there isn't necessarily one language that is the "most secure." That said, some languages are certainly more conducive to writing organized and easy-to-manage code and some frameworks provide security controls that are enabled by default. PHP perhaps has a worse reputation than it deserves because not only has it been widely used, but also spammers took advantage of many insecure PHP forms to send spam (via email injection).
Even the most ardent PHP fan would agree it is a lot easier for an untrained programmer to write insecure code in a language like PHP. There are thousands of examples and tutorials on the Internet explaining how to add fancy features to an application using PHP, but not many of them cover how to ensure those features don’t make the application vulnerable to attack, hence feature-rich PHP applications are often not developed with security in mind.
Training your developers to write code with security in mind is more important than language selection. CERT (Computer Emergency Response Team) has found most vulnerabilities discovered in applications stem from a relatively small number of common programming errors that developers repeatedly make. By eradicating insecure coding practices and focusing on secure coding training, your software developers can quickly reduce or eliminate the number of vulnerabilities that make it through to the final live application. There are lots of excellent and free resources and tutorials available on the Internet that you can use to develop their skills in this area. One of the leaders in this field is the Open Web Application Security Project, which provides lots of examples of how to code securely.
The CERT Secure Coding Initiative is working to establish secure coding standards for commonly used programming languages and to advance the practice of secure coding. Another good resource to improve your developers' secure coding skills is Microsoft MSDN Security and the section on writing secure code. There are also various books by Michael Howard, a Microsoft software security expert, that you may be interested in, including “Writing Secure Code”, “24 Deadly Sins of Software Security” and “The Security Development Lifecycle”. Many of the topics covered are applicable to any programming language and will help you understand how to code with security in mind: That is, using security features correctly and writing code that can withstand attack.
Hopefully, if you start to incorporate what you learn from these resources and embed security into the entire application lifecycle, your next application will be robust and able to withstand attack, whatever language you choose to use.
This was first published in September 2011