PHP Security and Compliance: Trends to Watch in 2024

The Zend 2024 PHP Landscape Report is built on responses to an anonymous survey of self-identified PHP users and administrators, seeking to understand the PHP landscape for improved experience in the coming year. While we previously broke down data surrounding PHP app development and deployment trends, today we turn our attention to a top concern from survey respondents: PHP security and compliance.

In this blog, we walk you through our findings surrounding 2024 PHP development priorities, leading PHP security trends, and PHP compliance standards and concerns from our global respondents.  

Top PHP Development Priorities in 2024

One of the key areas we ask about in our annual survey of the PHP landscape is the overall prioritization of activities for respondents’ development teams. In 2024, we asked participants to rank developmental priorities on a scale of one to five, with one indicating the lowest level of priority and five indicating the highest.

Building new features ranked as the top priority for 44.30% of respondents, with security taking a close second at 40.72%. Lower concern priorities included improving code quality (22.36%), improving performance (18.78%), and deployment automation/orchestration (11.18%).

While building new features narrowly outpaced the prioritization of security, it’s possible that new features—like identify and access management—might be developed with security in mind. This may also apply to areas like code improvement, where teams are likely addressing security at a granular level. 

2024 PHP Security Trends

With approximately two out of five respondents ranking security as a leading concern across ecosystems, it is important to track trends in the coming year. To accomplish this, we revised and expanded our 2024 survey questions regarding PHP security trends, seeking data surrounding how PHP teams regard the security of their applications, the measures they take to improve PHP security, and how they maintain application security and compliance.

We began by asking our survey respondents to report their overall comfort level with the PHP security of their applications. As reflected in the data chart below, their responses correlate with other survey data, such as job title categories, the need to meet PHP compliance standards, and other factors.

50.63% of survey participants reported feeling “Very Confident” with their PHP security within applications, with 26.58% reporting they felt “Somewhat Confident” and 18.14% feeling “Extremely Confident.” That sets an impressive 95.35% of survey participants noting an overall positive sentiment around their application’s PHP security.

Additionally, we asked participants who reported a need to meet compliance requirements to evaluate their confidence level in the security of their application. The reported data, shown in the chart blow, reflects similar views to PHP security, with 56.98% reporting they are “Very Confident,” 22.09% answering “Somewhat Confident,” and 17.05% stating they were “Extremely Confident.”

PHP Security Trends Segmented by Team

We then segmented our results by job responsibilities and PHP version to get a better understanding of the overall security confidence within various respondent groups.

First, we looked at how professional roles viewed PHP security. While the percentage of respondents for each category selecting “Very Confident” (50% vs. 52.63%), “Somewhat Confident” (27.33% vs. 28.95%), and “Extremely Confident” (18.33% vs. 18.42%) were relatively consistent, the negative perceptions of PHP application security showed a disconnect between roles. Overall, developers were much more likely to report feeling “Not So Confident” or “Not At All Confident” compared to their C-Suite counterparts (4.34% vs. 0%).

Next, we examined security sentiment by PHP version adoption, comparing respondents using PHP 5.6 and previous versions, PHP 7.X versions, and PHP 8.X versions. We found that teams using PHP 5.6 were significantly less confident in their overall PHP security than those using PHP 7.X or 8.X versions, as reflected in the chart above.

We were surprised to see the high level of confidence in PHP security across applications. These results speak to the improvements in the language and ecosystem in recent years. As the last PHP 5 release was almost a decade ago and security patches have ended, we felt that the respondents’ lower confidence in applications deployed on version 5 releases was deserved. We recommend these users should look to upgrade their applications to decrease security exposure. Despite high confidence levels in PHP 7 users, we encourage them to consider upgrading as well, as PHP 7 releases are no longer receiving security patches from the open source project.

Zend Provides LTS and Migration Services

Are you looking for LTS services for your PHP project? Are you ready to migrate PHP versions? Zend has you covered. We'll help you migrate on your schedule while maintaining compliance standards.

Long Term Support for PHP   PHP Migration Services

Top PHP Security Tactics

Looking at security more tactically, we asked teams to share how they prioritize their improvement measures for security in the development and maintenance of PHP applications. As with previous questions, we asked participants to rank each entry on a scale of one to five, with one indicating that the tactic is not important and five indicating the tactic is very important. We compiled the data in the below chart using a weighted average.

The consensus top three most important tactics for PHP teams were implementing strong authentication and access controls (4.38), implementing and enforcing secure coding practices (4.35), and regularly applying security patches and updates in application dependencies (4.20). Other strongly represented tactics included monitoring and logging application activities for security incidents (3.99) and performing automated security scanning and testing (3.52). The lowest ranking tactic reported was conducting security training for development teams (3.40), which we found interesting as training is necessary to implement secure coding practices.

As identity and access management is a critical concern when securing any application, we were pleased to see so many respondents rating it as their chief security concern. As PHP language does not provide any built-in mechanisms for achieving robust access control, choosing the right libraries and approaches are key architectural questions to answer.

Additionally, we were happy that implementing and enforcing secure coding practices is a top priority for participants. We hope to explore this response further in future iterations of this survey as we are curious about what practices and standards are in place and what language features are aiding or obstructing the ability to secure applications.

2024 PHP Compliance Trends

PHP security and PHP compliance directly influence one another, so as we sought to gain a full scope of the 2024 landscape, we returned to a question from our 2023 report. We asked participants to state whether they need to meet regulatory or industry compliance standards. If they did not currently need to meet any PHP compliance standards, we asked them if they anticipated the need to meet any compliance in the next 12 months.

Over half (54.46%) of survey participants reported that they must meet regulatory or industry standards for their PHP applications. 38.37% responded that they do not currently nor foresee the need to meet compliance standards. The remaining 7.17% stated that while they don’t need to meet PHP compliance standards now, they will soon.

Comparing our findings year over year, we see little movement in teams needing to meet compliance (55.21% vs. 54.46%), but we did see a jump in those not needing to meet compliance standards nor anticipating needing to meet them in the future (31.44% to 38.37%). Conversely, fewer teams (13.34% to 7.17%) noted they do not currently need to meet compliance standards but expect to in the next year.

Top PHP Compliance Standards in 2024

For those who indicated the need to meet compliance requirements, we asked for a report of which standards they adhered to for their PHP applications. GDPR was the top selected option at 69.98%, with ISO 27001 at 20.65% and PCI DSS at 20.32%. Other commonly reported requirements included internal compliance standards (19.68%) and the EU e-Privacy Directive (16.31%).

Looking at compliance requirements by region, our survey showed that the top global areas needing to meet compliance standards for their PHP applications were North America (61.44%), Europe (60.53%), and the United Kingdom (60%). 

Unsurprisingly, the reported requirements varied widely by location. Respondents in North, Central, and South America were far less likely to selected GDPR (45.22% vs. 95%) and the EU e-Privacy Directive (5.22% vs. 25.62%) than participants from Europe and the UK.

The main takeaway from our PHP compliance data? PHP powers global businesses, regardless of region. Government-led regulatory requirements such as GDPR, ISO 27001, the EU e-Privacy Directive, and HIPAA govern how organizations deploy applications. Furthermore, money talks, as PCI DSS, SOX, and NIST are required to interact with financial institutions, making compliance a necessary business cost.

Final Thoughts

If your PHP application works with any sensitive customer data, then you have PHP security and compliance requirements. With the globally connected world of the internet, you're likely falling under many regulatory umbrellas. Failure to meet these standards can have severe consequences for your business and users.

To avoid security issues and maintain compliance, it is critical to either stay on supported versions of PHP technologies or to secure long term support for end of life versions from a trusted and established vendor, such as Zend. For decades, we have helped evolve the PHP language and how it is used by global leaders, and we are ready to support your IT infrastructure.

Need Security Support in 2024?

Zend is here to help. We deliver PHP long-term support and professional services that help companies keep their PHP applications secure and compliant.

Explore LTS Options  See PS Options

Additional Resources

• White Paper—2024 PHP Landscape Report
• White Paper—2023 PHP Landscape Report
• Webinar—The 2024 State of PHP Development
• Blog—2024 PHP Report Overview: PHP App Development and Deployment Trends
• Blog—6 PHP Security Best Practices
• Blog—PHP Security Center
• Datasheet—Zend Security Audit