News

Wednesday, March 14, 2007

How to Write Secure PHP Code

PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE:

Free Brief: Personal HP Workstations = Higher ROI?

http://list.windowsitpro.com/t?ctl=4DFD5:4160B336D0B60CB125E47E55ECE19021

Messaging Security for Small and Midsized Businesses

http://list.windowsitpro.com/t?ctl=4DFBA:4160B336D0B60CB125E47E55ECE19021

Before your next company laptop is lost or stolen...

http://list.windowsitpro.com/t?ctl=4DFD2:4160B336D0B60CB125E47E55ECE19021


=== CONTENTS ===================================================

IN FOCUS: How to Write Secure PHP Code

NEWS AND FEATURES
- Panda Software Sees Rise in Rootkits
- Relative Unknowns Top Antivirus Test Chart
- Microsoft Pushes Ahead with OneCare
- Recent Security Vulnerabilities

GIVE AND TAKE
- Security Matters Blog: Gaping Hole in Wordpress
- FAQ: Windows Not Ready for Daylight Savings Time
- Tell Us About the Products You Love!
- Share Your Security Tips

PRODUCTS
- NAC Appliance Gets Cheaper and Faster

RESOURCES AND EVENTS

FEATURED WHITE PAPER

ANNOUNCEMENTS


=== SPONSOR: HP ================================================

Free Brief: Personal HP Workstations = Higher ROI?
Discover why financial services executives get a LOT more out of
their IT investments by investing in HP Personal Workstation
Technology. Quickly learn how workstations ensure accuracy and security
while driving down short- and long-term operating costs. This quick-
read guide is a must read today.

http://list.windowsitpro.com/t?ctl=4DFD5:4160B336D0B60CB125E47E55ECE19021


=== IN FOCUS: How to Write Secure PHP Code =============
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Last week, I wrote about a few things you need to know about securing
your PHP installations. I also pointed to several sites that offer good
information about what to look out for and what configuration changes
you might need to make. If you missed that article, you can read it on
our Web site at the URL below.

http://list.windowsitpro.com/t?ctl=4DFC7:4160B336D0B60CB125E47E55ECE19021

If you have PHP installed, then obviously you're going to run PHP code.
Some of that code might be written by third-party developers and some
of it you might write yourself. Either way, you should learn about
secure coding practices for PHP. Doing so can help you write better
code and help you audit third-party code for potential problems.

As an example of why the latter is important, be sure to read my blog
article "Gaping Hole in Wordpress" (you can link to it from the GIVE
AND TAKE section of this newsletter below) to learn about how someone
slipped some "back doors" into Wordpress, which is a hugely popular
PHP-based blogging platform. You can write simple scripts that audit
third-party code to look for potential back doors by scanning the code
for any or all of the dangerous functions I discussed last week.

To help you write your own secure PHP code, I went looking for
resources and found several decent Web sites that provide writing aid
and some tools that look for coding vulnerabilities. The sites at the
URLs below are a big help, so take some time to study them carefully.
If you know of any others, send me a message with a URL and I'll share
it here in the newsletter for everyone's benefit.

Secure Programming in PHP

http://list.windowsitpro.com/t?ctl=4DFC6:4160B336D0B60CB125E47E55ECE19021

PHP - Secure coding

http://list.windowsitpro.com/t?ctl=4DFC0:4160B336D0B60CB125E47E55ECE19021

Secure Programming for Linux and Unix HOWTO, Chapter 10, Language-
Specific Issues, 10.8 PHP (this pertains to Windows also)

http://list.windowsitpro.com/t?ctl=4DFBC:4160B336D0B60CB125E47E55ECE19021

PHP Security Consortium's PHP Security Guide

http://list.windowsitpro.com/t?ctl=4DFDA:4160B336D0B60CB125E47E55ECE19021

PHP Input Filter (Developer Shed's Network, PHP Scripts)

http://list.windowsitpro.com/t?ctl=4DFBD:4160B336D0B60CB125E47E55ECE19021

SecurePHP Wiki

http://list.windowsitpro.com/t?ctl=4DFCD:4160B336D0B60CB125E47E55ECE19021

PHP Top 5 (security problems extracted from SANS Top 20 list)

http://list.windowsitpro.com/t?ctl=4DFD4:4160B336D0B60CB125E47E55ECE19021

Top 10 ways to crash PHP

http://list.windowsitpro.com/t?ctl=4DFC5:4160B336D0B60CB125E47E55ECE19021

Chorizo! Web Application Security Scanner

http://list.windowsitpro.com/t?ctl=4DFDD:4160B336D0B60CB125E47E55ECE19021

PHP Security Scanner

http://list.windowsitpro.com/t?ctl=4DFD7:4160B336D0B60CB125E47E55ECE19021

===

Editor's Note: Do you work in a mixed environment? Visit TechX World
(first URL below) for information about Windows interoperability.
The TechX World community gives you access to interoperability articles
that aren't available anywhere else; news, tips, and tricks from
interop experts and other users; and forums and blog posts by other
community members. Join the TechX World community and sign up for the
TechX Interoperability UPDATE email newsletter (second URL below).

http://list.windowsitpro.com/t?ctl=4DFDE:4160B336D0B60CB125E47E55ECE19021

http://list.windowsitpro.com/t?ctl=4DFD8:4160B336D0B60CB125E47E55ECE19021


=== SPONSOR: Symantec ==========================================

Messaging Security for Small and Midsized Businesses
Did you know that 75% of corporate intellectual property resides in
email? The challenges facing this vital business application range from
spam to the costly impact of downtime and the need for effective,
centralized email storage systems. Join us for a free Web seminar and
learn the key features of a holistic approach to managing email
security, availability, and control. On-Demand Web Seminar.

http://list.windowsitpro.com/t?ctl=4DFBA:4160B336D0B60CB125E47E55ECE19021


=== SECURITY NEWS AND FEATURES =================================

Panda Software Sees Rise in Rootkits
Panda Software said that in 2006, its PandaLabs team tracked a 62
percent increase in the amount of malicious code that used rootkit
technology. The figure is on track to increase even more in 2007.

http://list.windowsitpro.com/t?ctl=4DFCA:4160B336D0B60CB125E47E55ECE19021

Relative Unknowns Top Antivirus Test Chart
In a recent test by AV Comparatives, the top three overall
performers were G DATA Software AntiVirusKit, AEC TrustPort Antivirus
Workstation, and Avira AntiVir Personal Edition Premium--not household
names in the US.

http://list.windowsitpro.com/t?ctl=4DFC9:4160B336D0B60CB125E47E55ECE19021

Microsoft Pushes Ahead with OneCare
In the wake of reports that its Windows Live OneCare security suite
is inadequate, Microsoft announced plans to release a Live OneCare 2.0
beta soon.

http://list.windowsitpro.com/t?ctl=4DFC8:4160B336D0B60CB125E47E55ECE19021

Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
discoveries at

http://list.windowsitpro.com/t?ctl=4DFBF:4160B336D0B60CB125E47E55ECE19021


=== SPONSOR: Beachhead =========================================

Before your next company laptop is lost or stolen...
be sure your valuable data is protected! Lost Data Destruction (LDD)
from Beachhead Solutions provides immediate and affordable protection
through enterprise-controlled encryption and destruction of at-risk
data. No end-user involvement to deploy or manage ensures maximum
security and workforce productivity. Effective with/without internet
connection.

http://list.windowsitpro.com/t?ctl=4DFD2:4160B336D0B60CB125E47E55ECE19021


=== GIVE AND TAKE ==============================================

SECURITY MATTERS BLOG: Gaping Hole in Wordpress
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=4DFD0:4160B336D0B60CB125E47E55ECE19021

If you use Wordpress, you might need to upgrade to version 2.1.2
pronto! There are a couple of huge holes in the code, apparently
inserted by someone for the purpose of intrusion.

http://list.windowsitpro.com/t?ctl=4DFCC:4160B336D0B60CB125E47E55ECE19021

FAQ: Windows Not Ready for Daylight Savings Time
by John Savill, http://list.windowsitpro.com/t?ctl=4DFCF:4160B336D0B60CB125E47E55ECE19021


Q: What is the daylight saving time (DST) problem?

Find the answer at

http://list.windowsitpro.com/t?ctl=4DFCB:4160B336D0B60CB125E47E55ECE19021

TELL US ABOUT THE PRODUCTS YOU LOVE!
What products are you using that save you time or make your workload
a little lighter? What hot product discoveries have you made that other
IT pros need to know about? Let the world know about your experiences
in Windows IT Pro's monthly What's Hot department. If we publish your
story in What's Hot, we'll send you a Best Buy gift card! Send
information about your favorite product and how it has helped you to
whatshot@windowsitpro.com.

SHARE YOUR SECURITY TIPS AND GET $100
Share your security-related tips, comments, or problems and
solutions in Security Pro VIP's Reader to Reader column. Email your
contributions to r2r@securityprovip.com. If we print your submission,
you'll get $100. We edit submissions for style, grammar, and length.


=== PRODUCTS ===================================================
by Renee Munshi, products@windowsitpro.com

NAC Appliance Gets Cheaper and Faster
Nevis Networks announced LANsecure OS 3.0 for its LANenforcer
network access control (NAC) appliances. Highlights of the new OS
version are faster endpoint posture checks coupled with identity-based
access control, a three-fold increase in user capacity on LANenforcer
appliances (resulting in reduced costs), and integration with existing
identity-management systems to enforce predefined application access
policies to simplify administration. Prices for LANenforcer appliances
start at $15,000. LANsecure OS 3.0 will be generally available March
19. For more information, go to

http://list.windowsitpro.com/t?ctl=4DFDB:4160B336D0B60CB125E47E55ECE19021


=== RESOURCES AND EVENTS =======================================
For more security-related resources, visit

http://list.windowsitpro.com/t?ctl=4DFCE:4160B336D0B60CB125E47E55ECE19021

Infosecurity Europe is Europe's number-one dedicated Information
Security event held 24-26 April 2007, Grand Hall, Olympia. Now in its
12th year, this event continues to provide an unrivalled education
programme, new products and services, and exhibitors and visitors from
every segment of the industry. For further information:

http://list.windowsitpro.com/t?ctl=4DFD6:4160B336D0B60CB125E47E55ECE19021


Get Ready for the Windows Server Longhorn Roadshow!
Seize control of your Windows infrastructure with Microsoft's
biggest server release since Windows 2003. Get a live, under-the-hood
look at Longhorn virtualization, deployment, Web services, and
breakthroughs in core reliability. This one-day event is filled with
demonstrations and in-depth discussions designed for IT pros who want a
deep understanding of Windows Server Longhorn.

http://list.windowsitpro.com/t?ctl=4DFC3:4160B336D0B60CB125E47E55ECE19021

Deploy Exchange Server 2007 Without a Hitch!
This one-day technical training event teaches you how to preempt
pitfalls and avoid corrupting your infrastructure. You'll learn how to
effectively install, manage, and secure Exchange Server 2007 in a 64-
bit environment. You'll also get a peek into the integration of
Outlook, SharePoint Server 2007, and Exchange Server 2007. Register
today!

http://list.windowsitpro.com/t?ctl=4DFBE:4160B336D0B60CB125E47E55ECE19021


=== FEATURED WHITE PAPER =======================================

SQL Reporting Services is an exciting way for organizations to gain
access and insight into their important business data stored in SQL
Server. Get an overview of how to increase your production server's
performance by offloading Reporting Services to a secondary server.
Download your free copy today!

http://list.windowsitpro.com/t?ctl=4DFBB:4160B336D0B60CB125E47E55ECE19021


=== ANNOUNCEMENTS ==============================================

Introducing a Unique Security Resource
Security Pro VIP is an online information center that delivers new
articles every week on topics such as perimeter security,
authentication, and system patches. Subscribers also receive tips,
cautionary advice, direct access to our editors, and a host of other
benefits! Order now at an exclusive charter rate and save up to $50!

http://list.windowsitpro.com/t?ctl=4DFC1:4160B336D0B60CB125E47E55ECE19021

Grab Your Share of the Spotlight!
Nominate yourself or a peer to become IT Pro of the Month. This is
your chance to get the recognition you deserve! Winners will receive
over $600 in IT resources and be featured in Windows IT Pro. It's easy
to enter--we're accepting April nominations now, but only for a limited
time! Submit your nomination today:

http://list.windowsitpro.com/t?ctl=4DFD3:4160B336D0B60CB125E47E55ECE19021


================================================================

Security UDPATE is brought to you by the Windows IT Pro Web site's
Security page (first URL below) and Security Pro VIP (second URL
below).

http://list.windowsitpro.com/t?ctl=4DFD1:4160B336D0B60CB125E47E55ECE19021

http://list.windowsitpro.com/t?ctl=4DFDC:4160B336D0B60CB125E47E55ECE19021

Subscribe to Security UPDATE at

http://list.windowsitpro.com/t?ctl=4DFC4:4160B336D0B60CB125E47E55ECE19021

Unsubscribe by clicking

http://list.windowsitpro.com/u?id=4160B336D0B60CB125E47E55ECE19021

Be sure to add Security_UPDATE@list.windowsitpro.com
to your antispam software's list of allowed senders.

To contact us:
About Security UPDATE content -- letters@windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=4DFD9:4160B336D0B60CB125E47E55ECE19021

About your product news -- products@windowsitpro.com
About your subscription -- windowsitproupdate@windowsitpro.com
About sponsoring Security UPDATE -- salesopps@windowsitpro.com

View the Windows IT Pro privacy policy at

http://list.windowsitpro.com/t?ctl=4DFC2:4160B336D0B60CB125E47E55ECE19021

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

No comments:

Blog Archive