PHP Security Consortium
Founded in January 2005, the PHP Security Consortium (PHPSC) is an international group of PHP experts dedicated to promoting secure programming practices within the PHP community. Members of the PHPSC seek to educate PHP developers about security through a variety of resources, including documentation, tools, and standards.
PHP Security Consortium
The PHP Security Consortium (PHPSC) is an international group of PHP experts dedicated to promoting secure programming practices within the PHP community.Notification Policy
- The vulnerability is verified with the minimum amount of experimentation and testing.
- A clear exploit is developed.
- A member of the PHP Security Consortium contacts the appropriate parties in order to provide the exploit as well as establish a clear channel of communication.
- We reserve the right to notify the appropriate parties before a vulnerability can be verified.
Public Disclosure Policy
- When we are aware of a public exploit, we will release as little information as necessary to promote the correction of affected systems.
- When we are not aware of any public exploit, we will not disclose any information until after corrective measures are available for affected systems or after a period of four weeks has expired. We will work with the appropriate parties to offer corrective measures as soon as possible, and we reserve the right to grant an extension.
Principals
Chris Shiflett, Founder
Chris Shiflett is an internationally recognized expert in the field of PHP security. His solutions to security problems are often used as points of reference, and these solutions are showcased in his talks at conferences such as ApacheCon and the O’Reilly Open Source Convention and his articles in publications such as PHP Magazine and php|architect.
Chris is a leader in the PHP community, and his involvement includes being the founder of the PHP Security Consortium, the founder of PHPCommunity.org, a member of the Zend PHP Advisory Board, and an author of the Zend PHP Certification.
A prolific writer, Chris has regular columns in both PHP Magazine and php|architect. He is also the author of the HTTP Developer’s Handbook (Sams) as well as the highly anticipated PHP Security (O’Reilly).
Ammar Ibrahim
Ammar Ibrahim is a pioneer in PHP development with over five years of experience. Ammar currently serves as a senior consultant for many leading companies including Al-Bawaba, the largest portal in the Middle East. He most recently developed several enterprise solutions for the American telecommunications firm IPFloat, a leading VoIP provider. Prior to consulting, he worked for four years as part of Syntax Digital, the largest design and development firm in Jordan.
Ammar lives in Amman, Jordan.
Andi Gutmans, Zend Technologies
Since 1997, Andi has been working on PHP when, along with Zeev Suraski, he created PHP 3 and later PHP 4. Andi continues to play a leadership role in the PHP community and is a member of both the PHP Group and the Apache Software Foundation. Recently, Andi spearheaded the Zend Engine II’s object-oriented improvements for the newly released PHP 5. Additionally, he brings a rich background in enterprise software development including real-time avionics simulation software and n-tier J2EE applications.
Andi holds a BA in Computer Science from the Technion, Israel Institute of Technology.
Ben Ramsey
Ben Ramsey is a Technology Manager for Hands On Network, an international, non-profit volunteer organization based in Atlanta, Georgia. Before moving to the non-profit sector, he worked for four years as the Technical Director for Roswell, Georgia-based EUREKA! Interactive, Inc. With EUREKA!, he served as the software architect and lead programmer of numerous Web-based applications for local governments and small businesses. Ben is an avid supporter of PHPCommunity.org and a frequent contributor to the PHP mailing lists. He is a member of the PHP Security Consortium, as well as a Zend Certified Engineer and co-founder of Atlanta PHP.
Ben’s areas of expertise range from the client side to the server side, as well as the content side. Ben has written for International PHP Magazine and is a contributing author of PHP Unleashed (Sams). He holds a BA in English from Kennesaw State University and enjoys reading and writing fantasy and science fiction in his spare time.
He lives just north of Atlanta, Georgia with his wife Liz and dog Ashley.
Christian Wenz
Christian Wenz is an author, trainer, and consultant with a focus on web development. He is an author or co-author of over four dozen books, regularly writes for renowned IT magazines, and speaks at developer conferences around the globe. He maintains or co-maintains several PEAR packages and one CPAN package. His current main areas of work are security and web services. Christian holds a “Diplom” (the German eqiuvalent of a Masters Degree) in Computer Science from the Technical University of Munich. He blogs at http://www.hauser-wenz.de/blog/.
Daniel Kushner, Zend Technologies
As the Director of Education, Daniel is responsible for the Zend PHP Certification program. In addition to designing the certification program, he developed the Zend PHP Training program, which provides the necessary study guide and classes to help PHP developers become Zend Certified Engineers. As part of the program, Daniel also initiates and maintains business relationships and partnerships with PHP training facilities worldwide.
Prior to Zend Technologies, Daniel was a Senior Software Engineer at DynamicLogic, responsible for developing integrated research recruitment solutions used in name-brand web sites including Yahoo!, AOL, and Lycos.
Previously, he was a PHP freelancer, developing front and backend web applications, including e-commerce integration, member services and personalization, auction management, email delivery systems, and online file manipulation services for companies such as MTV, Arista, Viacom Outdoor, Accuweather, and Dell Computer Corporation. While freelancing, Daniel was also a PHP training instructor, where he worked with developers from highly acclaimed universities, such as Harvard and Columbia, and companies like Google, The New York Times, and the American Museum of Natural History.
Daniel holds a BS in Computer Science from the Interdisciplinary Center Herzliya, Israel.
David Sklar
David Sklar is an independent consultant specializing in technical training, software development, and strategic planning. He is the author of Learning PHP 5 (O’Reilly), Essential PHP Tools (Apress), and PHP Cookbook (O’Reilly).
After discovering PHP as a solution to his web programming needs in 1996, he created the PX (http://px.sklar.com/), which enables PHP users to exchange programs. Since then, he has continued to rely on PHP for personal and professional projects.
David is an instructor at the New School University and has spoken at many conferences, including the O’Reilly Open Source Conference, the EGovOS Open Source/Open Standards Conference, and the International PHP Conference.
When away from the computer, David eats mini-donuts, plays records, and likes to cook. He lives in New York City and has a degree in Computer Science from Yale University.
Ivan Ristic, Thinking Stone
Ivan Ristic is a web security specialist and the author of ModSecurity, an open source intrusion detection and prevention engine for web applications. He is the founder of Thinking Stone, which offers products and services related to web application security.
An active participant in the web application security community, Ivan spends his days contemplating web application security, web intrusion detection, and security patterns. Prior to moving to the computer security field, Ivan spent a number of years working as a developer, system architect, and technical director in the software development industry.
Marcus Whitney
Marcus Whitney is the Chief Architect of Emma, an email marketing application that powers the email marketing efforts of thousands of organizations around the world, with offices in New York City (where he’s from) and Nashville (where he lives). Prior to his position at Emma, Marcus served as the Internet Systems Architect for Anode, creating the second version of their flagship product FireSign, a dynamic signage server. He has been creating professional web applications for over seven years and began using PHP in 2002.
Marcus is very enthusiastic about the direction that PHP and Zend are taking toward enterprise applications, and when he isn’t working on Emma, he works as an evangelist and educator of professional PHP development. He is a member of the PHP Security Consortium, organizer of the Nashville PHP User Group, and author of the forthcoming Pro PHP 5 (Apress). As a contributor to the open source community, he is the co-author of a framework for PHP application development called CEP: Core Enterprise PHP, which is currently being ported to PHP5. Marcus became a Zend Certified Engineer at php|works in September 2004, where he gave his first presentation on Growing Your Enterprise with OSS.
Marcus is also a really happy dad and husband, and he looks forward to being more involved in his community, both as a volunteer and politically.
Paul Reinheimer
Paul Reinheimer has been an active PHP developer for four years. By day, Paul is writing Professional Web APIs with PHP while pondering the launch of his own startup, Share The Beat. By night, he is pursuing his Bachelors in Business Administration and Computer Science from the University of Windsor.
Paul’s interest in PHP security was piqued by reading Chris’s PHP Security Workbook, and he is currently researching security as it relates to APIs and feeds. Paul is also a Zend Certified Engineer.
Library
- Mon, 31 Jan 2005
PHP Manual: Security
PHP Security Talks
Hardened PHP - Sun, 23 Jan 2005
XSS Prevention Wiki
WACT PHP Security Wiki
SQL Injection Attacks by Example
NYPHP Phundamentals: Spoofed Form Submissions
Persistent Login Cookie Best Practice - Sat, 22 Jan 2005
Foiling Cross-Site Attacks
The Truth about Sessions
Security Corner: Session Fixation
Security Corner: Shared Hosting
Security Corner: SQL Injection
Security Corner: Data Filtering
Security Corner: Form Spoofing
