Risk assessment?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Coar
Forum Newbie
Posts: 3
Joined: Tue May 09, 2006 1:05 pm

Risk assessment?

Post by Coar »

I currently work for a company that requires very in-depth information about any "new" software to install on their information systems. While I know how to code in php, my problem is getting my company to authorize the server software.

My needs don't include any database support, as all I need is some very simple scripting to provide better support to our users. We currently run an IIS server, with (I believe) pure HTML support only, but that means when we release new data, we would have to create a new page, and update our links for all our other pages, which is both time-consuming and a greater chance for error. My script would only reference the page that it exists on, and a few Excel Spreadsheets, the HTML version of which already exists. There is no need for database support.

What I am looking for is this, and I was unable to find it on the links provided in the stickied post; Is there a resource available, and if so, where, that provides a risk assessment/analysis of running a server that supports PHP?
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Since you don't seem to update very frequent you could write php scripts and execute them on a dev server... But write them so that they copy their output to the live / static site... This way, your company can continue to deliver static html and you don't have to generate it all the time ;)
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

I might be inclined to do a Google search for 'Risks associated with running PHP'. As far as a whitepaper or something like that, I am not sure that you'll find one here. I am sure they are out there.

If all you are doing is serving up static HTML pages, technically you don't even need a server. You could put the files on a network drive and everyone could access them from there. If there is a need for a server, a need which I am guessing your company has, then PHP will work with the server much like IIS uses ASP as a server-side scripting language. As for security, there are plenty of things you can do to secure PHP, and even it's default setup, PHP is really secure.

Maybe what you can do also, is search for 'Securing PHP' and use anything you find to try to convince your powers that be.
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Re: Risk assessment?

Post by Roja »

Coar wrote: What I am looking for is this, and I was unable to find it on the links provided in the stickied post; Is there a resource available, and if so, where, that provides a risk assessment/analysis of running a server that supports PHP?
There are several commercial companies that offer code assessments.

However, from your description, I suspect you are not at all able/willing/likely to pay the large fees they charge to do so. It would easily push your "quick fix" code solution into the same league as unreasonably complex solutions with a large cost.

My suggestion? Put together the working version, request the approval, and put the onus on IT to provide the clear statement of what concerns need to be met.
Coar
Forum Newbie
Posts: 3
Joined: Tue May 09, 2006 1:05 pm

Post by Coar »

maybe i'm not being clear enough, and for that i apologize.

while i cant go into details of what i do, or who i do them for, i can provide the following:

the current html page has an embedded spreadsheet that is a report
the the report is updated daily, and its results cover the current month only
i'll be using the current html page as a foundation for my php code
the entirety of the script will be on one page, and only reference that page
while we have archived versions of the old reports, they are not available on the website
in terms of scripting, my code will be fine, I already have it figured out
there will not be a database referenced, and the code will be breakproof, providing that deliberate bad data is not provided to the web address, but that is not a concern
all i am trying to provide them with is a simple method to display the archived results, that can be updated by one who is trained after i leave, that wont be difficult

the only concern that is being presented is how secure the server is with the PHP software, and any negative software interactions that are known
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Coar wrote:the current html page has an embedded spreadsheet that is a report
the the report is updated daily, and its results cover the current month only
So the Excel spreadsheet will be updated by how many people? And the HTML page has this spreadsheet embedded into it how?
Coar wrote:in terms of scripting, my code will be fine, I already have it figured out
there will not be a database referenced, and the code will be breakproof, providing that deliberate bad data is not provided to the web address, but that is not a concern
If you are the only person with access to the data, the code and the server, it is not a problem. If this will ever be interfaced with by someone other than you that can throw data at it, then it could be a problem.
Coar wrote:...while we have archived versions of the old reports, they are not available on the website...
all i am trying to provide them with is a simple method to display the archived results, that can be updated by one who is trained after i leave, that wont be difficult...
the only concern that is being presented is how secure the server is with the PHP software, and any negative software interactions that are known
PHP, by itself, is secure. What makes it insecure are bad php.ini settings (administrator's fault), improper interaction with external libraries (developer's fault), inefficient safety precautions by the developer (developer's fault) and server vulnerabilities (administrator's fault).

This link is from a google search for PHP security vulnerabilities. It offers some pretty good links to various reference material.
Coar
Forum Newbie
Posts: 3
Joined: Tue May 09, 2006 1:05 pm

Post by Coar »

Im sorry if I seem harsh in the following statements, but what I keep trying to say apparently isn't clear.

I am not concerned about the security of the webpage or the spreadsheet.

I am not concerned about the people who will be updating the webpage or the spreadsheet, as I will be personally training them, or doing it myself.



I am concerned ONLY about the security of the PHP server software, as it pertains to the security of an IIS SERVER. What I need is a list of SERVER VULNERABILITIES or SERVER RISKS created by having the PHP server software installed on an IIS server, and a list of KNOWN software compatibility errors, as we do run a few programs specific to our webserver, programs that need to continue working.
Last edited by Coar on Fri May 12, 2006 10:10 am, edited 1 time in total.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

It sounds like you are not getting the answer you want. I suspect you would do better by looking at the PHP web site or by searching for PHP vulnerabilities. Are there issues with PHP? Sure there, but most of them come down to A) The admin who installed it; B) the server admin leaving vulnerabilities within the server (not a PHP issue); or C) developers that do not follow secure development practises.

I think I had said that bit before. I am not sure you will get the answer I think you are looking for here. I could be wrong.
Post Reply