Introducing the Zend PHP Security Center

What Is the PHP Security Center?

The PHP Security Center is a tool for DevOps and developers. Developers should use it to understand what versions of PHP they should target for production, as well as to understand what areas of their code might be vulnerable, and how to mitigate vulnerabilities pro-actively.

DevOps should use the PHP Security Center to understand when PHP applications they manage might be susceptible to vulnerabilities, and then work with PHP developers and systems teams to get application and PHP updates in place.

What Is a PHP CVE?

Common vulnerability exposures (CVE), help developers to know the prevalent vulnerabilities to be mindful of when developing and running PHP applications. The PHP Security Center has references to common vulnerability exposures, or CVEs, related to the PHP language.

This information includes details about the CVE and its impact, which PHP versions and/or extensions were affected, and information on how to protect your application from the vulnerabilities. This shows whether upgrading your PHP install or the potential workarounds you can perform in your own code.

How Often Is the PHP CVE List Updated?

The Zend team checks for new vulnerabilities daily, but only updates the site when CVEs have been made public, and for which we can provide mitigations. Historically, these occur around every 6-12 weeks.

Why Is Zend Qualified to Report PHP Security Vulnerabilities?

The security experts at Zend by Perforce evaluate CVEs in order to provide mitigations, and work with the community PHP teams to provide patches to the language itself, as well as to backport those to the LTS versions Zend provides. These experts have a combined experience of multiple decades in the industry and dedication interest in assuring the best security. 

The Benefits of PHP Security Center for the Broader PHP Community

The PHP Security Center is generally intentionally sparse about the information it provides around CVEs, primarily only linking to CVEs via their changelog when issuing a new security releases to the public. The site links to the originating CVE, but also provides PHP specific context, such as the extensions or functions are affected, and the OWASP category of the vulnerability — such as cross-site scripting issues versus SQL injection issues versus remote code exploits. 

Additionally, when possible the Zend team details how to mitigate issues in your own code without upgrading your PHP version, if upgrading is something that cannot happen immediately. This information helps PHP developers and DevOps personnel make more informed decisions about how best to protect applications and their business.

Need to know more about the potential vulnerabilities in your PHP applications? Explore the Security Center or reach out today!

PHP Security Center Talk to An Expert

Additional Resources

• 101 Guide - PHP Security
• Blog - PHP Security and Compliance: Trends to Watch in 2024
• Blog - How to Build a Backup and Recovery Plan for PHP Web Apps
• Blog - CVE-2023-3823: Overview and Mitigation Steps for PHP Applications
• Blog - Mitigating CVE-2023-0662
• Blog - Understanding and Mitigating PHP CVE-2022-31631