"Fixing" the Web
If any of you haven’t heard, at one of the fairly recent PHP conferences Rasmus Lerdorf declared the internet is broken. Yep, and he said it is the fault of developers (you). His points were centered around application security and how many developers, specifically PHP developers, are perpetuating the problem by not adhering to industry best practices as they relate to secure programming.
Well, I was just exposed to the concept of “tainted data” by a blog post from Tobias Schlitt. He mentions this concept isn’t new on the PHP-DEV lists but that this one is particularly well thought out. From an end-user’s standpoint I couldn’t agree more. Part of what I have been doing in the framework components I’ve been helping develop is loosening the noose that developers use to hang themselves. For example, I love the Flexy template engine because it was one of the first PHP templating engines to escape all output by default (this includes nastiness like JavaScript). I see implementing the “tainted data” concept as a huge differentiator for PHP as well as a great addition to our security toolbox. The easier we can make it for developers to recognize their problems, the better we are. Still not convinced? How about a practical example.
I’ve inherited a lot of code over my career either directly as a result to developer turn-over or because we’ve acquired some new software. We hardly ever do spotchecks from a security stand point mainly because there are few good, cheap tools to do this for us. However, with a “tainted data” implementation I could very quickly gauge how big the problems might be by simply test driving the application and making quick fixes using things like the new filter functions in PHP or the filter library from the Zend Framework. I don’t pretend this would be an exhaustive exercise as far as getting rid of security concerns from code but it would raise the bar for the minimum level of acceptance.
If you agree with this, I’d recommend you show your support by mentioning it to the PHP developers. In the meantime, let this serve as another reminder to all developers to practice secure programming and help us “fix” the web.