Innovate faster and cut risk with PHP experts from Zend Services.
See How Zend Helps Leading Hosting Providers Keep Their Managed Sites on Secure PHP
Learn PHP from PHP experts with free, on-demand, and instructor led courses.
Submit support requests and browse self-service resources.
Matthew Weier O’Phinney
The PHP Security Center is a tool for DevOps and developers. Developers should use it to understand what versions of PHP they should target for production, as well as to understand what areas of their code might be vulnerable, and how to mitigate vulnerabilities pro-actively.
DevOps should use the PHP Security Center to understand when PHP applications they manage might be susceptible to vulnerabilities, and then work with PHP developers and systems teams to get application and PHP updates in place.
Common vulnerability exposures (CVE), help developers to know the prevalent vulnerabilities to be mindful of when developing and running PHP applications. The PHP Security Center has references to common vulnerability exposures, or CVEs, related to the PHP language.
This information includes details about the CVE and its impact, which PHP versions and/or extensions were affected, and information on how to protect your application from the vulnerabilities. This shows whether upgrading your PHP install or the potential workarounds you can perform in your own code.
The Zend team checks for new vulnerabilities daily, but only updates the site when CVEs have been made public, and for which we can provide mitigations. Historically, these occur around every 6-12 weeks.
The security experts at Zend by Perforce evaluate CVEs in order to provide mitigations, and work with the community PHP teams to provide patches to the language itself, as well as to backport those to the LTS versions Zend provides. These experts have a combined experience of multiple decades in the industry and dedication interest in assuring the best security.
The PHP Security Center is generally intentionally sparse about the information it provides around CVEs, primarily only linking to CVEs via their changelog when issuing a new security releases to the public. The site links to the originating CVE, but also provides PHP specific context, such as the extensions or functions are affected, and the OWASP category of the vulnerability — such as cross-site scripting issues versus SQL injection issues versus remote code exploits.
Additionally, when possible the Zend team details how to mitigate issues in your own code without upgrading your PHP version, if upgrading is something that cannot happen immediately. This information helps PHP developers and DevOps personnel make more informed decisions about how best to protect applications and their business.
Need to know more about the potential vulnerabilities in your PHP applications? Connect with a Zend PHP expert today.
PHP SECURITY CENTER
Zend Product Manager, Zend by Perforce
Matthew began developing on Zend Framework (ZF) before its first public release, and led the project for Zend from 2009 through 2019. He is a founding member of the PHP Framework Interop Group (PHP-FIG), which creates and promotes standards for the PHP ecosystem — and is serving his second elected term on the PHP-FIG Core Committee.