BreadcrumbHomeResourcesBlog PHP Security Center June 18, 2020 PHP Security CenterSecurityBy Matthew Weier O’Phinney Table of Contents What Is the PHP Security Center?What Is a PHP CVE?Why Is Zend Qualified to Report PHP Security Vulnerabilities?The Benefits of PHP Security Center for the Broader PHP CommunityTable of Contents1 - 2 - What Is the PHP Security Center?3 - What Is a PHP CVE?4 - Why Is Zend Qualified to Report PHP Security Vulnerabilities?5 - The Benefits of PHP Security Center for the Broader PHP CommunityBack to topWhat Is the PHP Security Center?The PHP Security Center is a tool for DevOps and developers. Developers should use it to understand what versions of PHP they should target for production, as well as to understand what areas of their code might be vulnerable, and how to mitigate vulnerabilities pro-actively.DevOps should use the PHP Security Center to understand when PHP applications they manage might be susceptible to vulnerabilities, and then work with PHP developers and systems teams to get application and PHP updates in place.Back to topWhat Is a PHP CVE?Common vulnerability exposures (CVE), help developers to know the prevalent vulnerabilities to be mindful of when developing and running PHP applications. The PHP Security Center has references to common vulnerability exposures, or CVEs, related to the PHP language.This information includes details about the CVE and its impact, which PHP versions and/or extensions were affected, and information on how to protect your application from the vulnerabilities. This shows whether upgrading your PHP install or the potential workarounds you can perform in your own code.How Often Is the PHP CVE List Updated?The Zend team checks for new vulnerabilities daily, but only updates the site when CVEs have been made public, and for which we can provide mitigations. Historically, these occur around every 6-12 weeks.Back to topWhy Is Zend Qualified to Report PHP Security Vulnerabilities?The security experts at Zend by Perforce evaluate CVEs in order to provide mitigations, and work with the community PHP teams to provide patches to the language itself, as well as to backport those to the LTS versions Zend provides. These experts have a combined experience of multiple decades in the industry and dedication interest in assuring the best security. Back to topThe Benefits of PHP Security Center for the Broader PHP CommunityThe PHP Security Center is generally intentionally sparse about the information it provides around CVEs, primarily only linking to CVEs via their changelog when issuing a new security releases to the public. The site links to the originating CVE, but also provides PHP specific context, such as the extensions or functions are affected, and the OWASP category of the vulnerability — such as cross-site scripting issues versus SQL injection issues versus remote code exploits. Additionally, when possible the Zend team details how to mitigate issues in your own code without upgrading your PHP version, if upgrading is something that cannot happen immediately. This information helps PHP developers and DevOps personnel make more informed decisions about how best to protect applications and their business.Need to know more about the potential vulnerabilities in your PHP applications? Connect with a Zend PHP expert today. PHP SECURITY CENTER Related Resources: Blog - PHP Security and Compliance: Trends to Watch in 2024What is Enterprise Application Security? Click Here for the Complete GuideBack to top
Matthew Weier O’Phinney Zend Product Manager, Zend by Perforce Matthew began developing on Zend Framework (ZF) before its first public release, and led the project for Zend from 2009 through 2019. He is a founding member of the PHP Framework Interop Group (PHP-FIG), which creates and promotes standards for the PHP ecosystem — and is serving his second elected term on the PHP-FIG Core Committee.
