Drama on the PHP front: A high-profile member of the open source PHP Security Response Group abruptly has resigned his post.
Stefan Esser said in his blog over the weekend that he left the group, which is responsible for securing the popular open-source programming language for Web applications, because among other things they were resistant to his finding bugs in PHP, and had refused to patch some of the bugs he found.
"The reasons for this are many, but the most important one is that I have realized that any attempt to improve the security of PHP from the inside is futile," Esser wrote in his blog. "The PHP Group will jump into your boat as soon as you try to blame PHP's security problems on the user, but the moment you criticize the security of PHP itself you become persona non grata."
He said he will now issue some security advisories before their patches are available -- something the PHP Group does not do. "It will also mean there will be a lot more advisories about security holes in PHP." Esser had not responded to requests for an interview as of press time.
But Esser's colleagues, as well as other sources close to the group, disagree with his assessment of the PHP security patching problem. They say Esser's resignation is more about communication among PHP development team members. Andi Gutmans, co-founder and co-CTO of Zend Technologies and a member of the PHP Security Response Group, says there's been some friction between Esser and the rest of the team, as evidenced by some of Esser's previous blog postings.
"Although I urged him personally many times to try and channel his valuable skills in a more positive way, it just never quite worked out," Gutmans says. "This is unfortunate as I think Stefan is a very able person and it's a shame that communication issues got in the way of his work."
But any discord among PHP researchers won't help PHP's security issues. PHP, which was written for ease-of-use, is also known for security woes: A vulnerability in PHP's remote-file inclusion, a.k.a. php-include, landed the number three ranking this fall in Mitre's Common Vulnerability E (CVE) report, up from number six last year.
Its simplicity attracts greener programmers, who are more likely to make mistakes with it. And PHP-based Web servers are a well-known favorite of phishers: Over 85 percent of phishing servers today are Apaches running PHP, according to a TippingPoint study. (See Phishers Launch Zero-Day Exploits.)
Meanwhile, Gutmans and other PHP team members also dispute Esser's claims that they haven't been releasing patches expediently.
"As is common in most open-source projects, we are able to release patches and new releases much faster than most commercial companies," Gutmans says. "That said, there have been some very isolated instances where Stefan felt we weren't moving fast enough. While there might be some truth to that, it is customary for a 'friendly' disclosing party to be patient and work with the vendors to find the best solution, especially when the fixes aren't trivial."
One major point of contention between Esser and the PHP team was when to go public with the vulnerabilities themselves. "We believe in only publicizing vulnerabilities when we provide a fix which our user base can apply. For that reason, it's very important for reporters [of bugs] to be patient and work with us to find the best fix," Gutmans says.
Esser's work is widely respected by other researchers. "Stefan has done more to secure the PHP interpreter in the last few years than most projects accomplish in a lifetime," says researcher HD Moore, director of security research for BreakingPoint Systems.
Gutmans, meanwhile, contends that PHP is no less secure than any other Web app language. "Security errors in Web applications are not only centered around PHP developers," he says. "It is extremely hard to create 100 percent bulletproof Web applications in any language -- the Web is like the wild west -- and vulnerabilities exist everywhere. I believe the main reason why PHP comes up so much is because it's the most popular Web development language."
The PHP group, meanwhile, is investing heavily in securing PHP, including providing the tools needed to secure PHP-based apps, and ensuring that users are provided the best practices needed for writing secure Web apps, he says. "We have a made a lot of progress on all fronts."
Kelly Jackson Higgins, Senior Editor, Dark Reading