Innovate faster and cut risk with PHP experts from Zend Services.
See How Zend Helps Leading Hosting Providers Keep Their Managed Sites on Secure PHP
Learn PHP from PHP experts with free, on-demand, and instructor led courses.
Submit support requests and browse self-service resources.
PHP development teams, perhaps now more than ever before, are tasked with maintaining PHP compliance. Whether it's to meet third party compliance and security standards (like PCI, SOX, HIPAA, or GDPR), or internal compliance standards, ensuring PHP is patched and supported is key component of keeping business and customer data safe.
In this article, I give an overview of compliance standards, what they mean, the most common standards that PHP teams need to watch, and the proactive strategies teams can use to meet and maintain PHP application compliance.
Compliance standards are a collection of laws and regulations that companies must adhere to when conducting business. Compliance standards are typically born out of government regulations, and are often region, country, or industry specific.
Laws and guidelines that regulate how a business is to conduct itself are commonplace in the 21st century. These standards, often referred to as regulatory compliance guidelines, bring about safety and protection for both consumers and organizations by ensuring that organizations operate safely and responsibly.
And, in the fast-paced technology space, there are plenty of compliance challenges that for teams to consider. While these standards can be a blessing in how they protect each of the entities involved in many transactions, they can also have a significant impact on budgets -- especially in how these policies are implemented as new procedures and technology improvements. With the complexity and time associated with maintaining compliance, organizations need a measured, thoughtful, and documented approach to ensure they're both compliant, and maintaining compliance in an efficient manner.
Some of the more common security standards that PHP applications need to meet include:
Payment card processing online is a very popular activity, especially for PHP-based websites. Ensuring that only the necessary personal information is retained, encrypted, and stored/retrieved safely is a principal concern for every consumer and the organizations that handle this data. Payment card industry (PCI) compliance applies not only credit cards, but also debit cards and online agencies like PayPal and Zelle. Companies that do not handle credit cards may still have an obligation to adhere to PCI compliance.
The Sarbanes-Oxley act of 2002 sought to reform financial reporting after the Enron disaster, which employed a highly speculative accounting practice called M2M(Market-to-market). The accounting practice itself was legal, but the way in which the financial reports were manipulated because of the change was highly fraudulent. Since nearly every company maintains and develops financial data using computer systems, SOX compliance is extremely important for IT professionals to ensure proper reporting.
The medical industry continues to be the lifeblood of American health. Within this complex maze of insurers, policies, and patients flows a lot of personal information. In 1996, Congress felt is necessary to create HIPAA (Health Information Portability and Accountability Act to regulate how personal information is stored and travels between the interested parties interfacing in the medical field. These laws apply to doctors, hospitals, patients, insurance companies and more to make certain the patients’ privacy is protected.
Approved in 2016, the European Union created the General Data Protection Regulation (GDPR), and began enforcement in 2018. GDPR is all about the proper handling of customer data -- whether it is through modern websites or legacy applications.
While many other countries might believe that there is no need for this level of oversight, companies doing business in and with organizations in the EU may still be bound by GDPR. I’ve spoken to several CISO/CSO type folks who all agree, it's better to be safe with GDPR than sorry. This meaning that many adopt the standard, even if the business footprint in the EU is minimal.
Beyond required compliance standards, many industries and companies have implemented rules and policies to protect information about the business, employees, and investors. These rules have a dual purpose in that they not only guard against misuse of information, but they are a method to stave off further government regulation and interference in a company’s activities.
Some of these internal standards might center around customer service performance around quality or speed. Addressing how long it takes to respond to an inquiry or request can help assess if a company is adhering to its own requirements of how it intends to do business. These are easily tracked using software and applications like email.
These are not the only standards to be considering. Most likely you have a strong idea of standards in your industry, and it is not unusual for an executive (often the CSO/CISO or Risk Manager) to be charged with responsibility of compliance standards within the organization. That individual should be working closely with the IT team in coordinating a swift and systematic rollout of changes to support adherence to applicable standards. Remember that non-adherence is not the end of the world if you have identified the gaps and have a plan to address them.
Maintaining PHP compliance requires a measured and well-documented compliance plan -- one that can be easier executed when using the right software, and built upon well-supported IT infrastructure.
Find out what kind of compliance your company may be required to adhere to and make sure the rules are being followed. Part of that effort might be to start self-auditing the computer systems in use and under development. Have someone check the database.
One client I spoke to was asked to replace a recently retired developer. Upon review of some of that person’s applications he discovered credit card data being processed and logged in clear text with no encryption. He immediately addressed the issue and is now looking for other areas where the company is not in compliance.
One of the best ways to avoid penalties on these types of findings is to identify that you have a plan in place. The legal community tends to be a lot more forgiving to companies who have identified issues and developed a plan, even if the plan has not been fully implemented yet.
Many software companies have included compliance standards in their offerings, especially in the healthcare industry. Build it into new application development. During the lockdown many companies who had avoided doing business online had absolutely no choice and were thrown into the deep end of not only making their products available, but also adhering to compliance standards.
There are many aspects to application solutions including supported hardware, operating systems, and system software like web & LDAP servers. Is that software on the latest version? Has it been abandoned by the vendor? Are there long-term support options for older solutions?
For PHP teams just starting their compliance journeys, plan for both the cost of the audit and the remediation process. Auditing will almost always reveal issues, and once they're revealed, they should be mitigated as soon as possible.
When I was an IT director for a private company, the CIO asked that we “validate” the firewall and network security. I immediately reviewed a few things internally and secured a third party to come in and perform an audit. When I went into his office to get the approval, he saw the cost of the audit and some additional costs to the order. He asked what the additional cost was for, and I told him it was a very rough estimate of the cost of fixing the issues.
Remediation is not free, but it doesn’t have to be a complete drain on profitability if implemented smartly. The best plan is to have a plan and continue to work through it, revise it, and retest it.
At Perforce, we have many solutions around auditing and LTS for open source software like PHP, AngularJS, CentOS, and others (including some that have been abandoned by the community). These support options can help an organizations with both immediate compliance of current standards requirements as well as provide a longer window to get applications revised for execution on current versions.
Keep Your PHP CompliantWith LTS and Migration Services From ZendZend LTS makes it easy to keep end of life PHP versions patched and compliant. And, when you're ready to migrate to a supported PHP version, we offer expert migration services that can get you there faster.See PHP LTS OptionsSee Migration Services
Zend LTS makes it easy to keep end of life PHP versions patched and compliant. And, when you're ready to migrate to a supported PHP version, we offer expert migration services that can get you there faster.
See PHP LTS OptionsSee Migration Services
Sr. Solutions Engineer, Zend by Perforce
Mike has been working with IBM midrange solutions since 1992 and IBM Mainframes before that. Mike was instrumental in developing the adoption of PHP as a primary solution for web development on IBM i working with Zend Technologies. Today, as Senior Sales Engineer with Perforce, Mike helps companies around the world approach the challenges of modernization and open source technologies. In addition to several roles as a volunteer with COMMON the premier IBM midrange user group, Mike also teaches PHP & Python classes part time at Moraine Valley Community College in Suburban Chicago.