Blog
April 13, 2023
PHP development teams, perhaps now more than ever before, are tasked with maintaining PHP compliance. Whether it's to meet third party compliance and security standards (like PCI, SOX, HIPAA, or GDPR), or internal compliance standards, ensuring PHP is patched and supported is key component of keeping business and customer data safe.
In this article, I give an overview of compliance standards, what they mean, the most common standards surrounding web application compliance that PHP teams need to watch, and the proactive strategies teams can use to meet and maintain PHP application compliance.
What Are Compliance Standards?
Compliance standards are a collection of laws and regulations that companies must adhere to when conducting business. Compliance standards are typically born out of government regulations, and are often region, country, or industry specific.
Laws and guidelines that regulate how a business is to conduct itself are commonplace in the 21st century. These standards, often referred to as regulatory compliance guidelines, bring about safety and protection for both consumers and organizations by ensuring that organizations operate safely and responsibly.
And, in the fast-paced technology space, there are plenty of compliance challenges that for teams to consider. While these standards for web application compliance can be a blessing in how they protect each of the entities involved in many transactions, they can also have a significant impact on budgets, especially in how these policies are implemented as new procedures and technology improvements. With the complexity and time associated with maintaining compliance, organizations utilizing PHP need a measured, thoughtful, and documented approach to ensure they're both compliant, and maintaining web application compliance in an efficient manner.
Back to topCommon Web Application Compliance Standards for PHP Apps
Some of the more common security standards that PHP applications need to meet include:
- PCI security standards
- SOX compliance standards
- HIPAA compliance standards
- GDPR data protection standards
- Internal compliance standards
PCI Security Standards
Payment card processing online is a very popular activity, especially for PHP-based websites. Ensuring that only the necessary personal information is retained, encrypted, and stored/retrieved safely is a principal concern for every consumer and the organizations that handle this data. Payment card industry (PCI) compliance applies not only credit cards, but also debit cards and online agencies like PayPal and Zelle. Companies that do not handle credit cards may still have an obligation to adhere to PCI web application compliance.
SOX Compliance Standards
The Sarbanes-Oxley act of 2002 sought to reform financial reporting after the Enron disaster, which employed a highly speculative accounting practice called M2M(Market-to-market). The accounting practice itself was legal, but the way in which the financial reports were manipulated because of the change was highly fraudulent. Since nearly every company maintains and develops financial data using computer systems, SOX compliance is extremely important for IT professionals to ensure proper reporting.
HIPAA Compliance Standards
The medical industry continues to be the lifeblood of American health. Within this complex maze of insurers, policies, and patients flows a lot of personal information. In 1996, Congress felt is necessary to create HIPAA (Health Information Portability and Accountability Act to regulate how personal information is stored and travels between the interested parties interfacing in the medical field. These laws apply to doctors, hospitals, patients, insurance companies and more to make certain the patients’ privacy is protected.
GDPR Data Protection Standards
Approved in 2016, the European Union created the General Data Protection Regulation (GDPR), and began enforcement in 2018. GDPR is all about the proper handling of customer data -- whether it is through modern websites or legacy applications.
While many other countries might believe that there is no need for this level of oversight, companies doing business in and with organizations in the EU may still be bound by GDPR. I’ve spoken to several CISO/CSO type folks who all agree, it's better to be safe with GDPR than sorry. This meaning that many adopt the web application compliance standard, even if the business footprint in the EU is minimal.
Internal Compliance Standards
Beyond required compliance standards, many industries and companies have implemented rules and policies to protect information about the business, employees, and investors. These rules have a dual purpose in that they not only guard against misuse of information, but they are a method to stave off further government regulation and interference in a company’s activities.
Some of these internal standards might center around customer service performance around quality or speed. Addressing how long it takes to respond to an inquiry or request can help assess if a company is adhering to its own requirements of how it intends to do business. These are easily tracked using software and applications like email.
These are not the only standards to be considering. Most likely you have a strong idea of standards in your industry, and it is not unusual for an executive (often the CSO/CISO or Risk Manager) to be charged with responsibility of compliance standards within the organization. That individual should be working closely with the IT team in coordinating a swift and systematic rollout of changes to support adherence to applicable standards. Remember that non-adherence is not the end of the world if you have identified the gaps and have a plan to address them.
Back to topMaintain Web Application Compliance With Zend Admin as a Service
Zend Admin as a Service ensures your PHP web app remains compliant with all required regulations. Take advantage of scheduled security patches, uninterrupted performance monitoring, and much more.
Proactive Strategies for Maintaining PHP Compliance
Maintaining PHP compliance requires a measured and well-documented compliance plan -- one that can be easier executed when using the right software, and built upon well-supported IT infrastructure.
1. Develop and Communicate a Web Application Compliance Plan
Find out what kind of compliance your company may be required to adhere to and make sure the rules are being followed. Part of that effort might be to start self-auditing the computer systems in use and under development. Have someone check the database.
One client I spoke to was asked to replace a recently retired developer. Upon review of some of that person’s applications he discovered credit card data being processed and logged in clear text with no encryption. He immediately addressed the issue and is now looking for other areas where the company is not in compliance.
One of the best ways to avoid penalties on these types of findings is to identify that you have a plan in place. The legal community tends to be a lot more forgiving to companies who have identified issues and developed a plan, even if the plan has not been fully implemented yet.
2. Leverage Software Whenever Possible
Many software companies have included compliance standards in their offerings, especially in the healthcare industry. Build it into new application development. During the lockdown many companies who had avoided doing business online had absolutely no choice and were thrown into the deep end of not only making their products available, but also adhering to compliance standards.
3. Don’t Neglect Your Infrastructure
There are many aspects to application solutions including supported hardware, operating systems, and system software like web & LDAP servers. Is that software on the latest version? Has it been abandoned by the vendor? Are there long-term support options for older solutions?
Back to topFinal Thoughts
For PHP teams just starting their PHP compliance journeys, plan for both the cost of the audit and the remediation process. Auditing will almost always reveal issues, and once they're revealed, they should be mitigated as soon as possible.
When I was an IT director for a private company, the CIO asked that we “validate” the firewall and network security. I immediately reviewed a few things internally and secured a third party to come in and perform an audit. When I went into his office to get the approval, he saw the cost of the audit and some additional costs to the order. He asked what the additional cost was for, and I told him it was a very rough estimate of the cost of fixing the issues.
Remediation is not free, but it doesn’t have to be a complete drain on profitability if implemented smartly. The best plan is to have a plan and continue to work through it, revise it, and retest it.
At Perforce, we have many solutions around auditing and LTS for open source software like PHP, AngularJS, CentOS, and others (including some that have been abandoned by the community). These support options can help an organizations with both immediate compliance of current standards requirements as well as provide a longer window to get applications revised for execution on current versions.
Keep Your PHP Compliant With LTS and Migration Services From Zend
Zend LTS makes it easy to keep end of life PHP versions patched and compliant. And, when you're ready to migrate to a supported PHP version, we offer expert migration services that can get you there faster.
Additional Resources
- 101 Guide - PHP Security
- Case Study - Zend Performs Bark.com PHP Migration
- Blog - PHP Hardening: Strategies to Meet Compliance Requirements
- Blog - Why Good PHP Monitoring Matters
- Blog - 6 PHP Security Best Practices
- Blog - Using Containers to Improve PHP App Security
- Blog - GDPR PHP Compliance: Maintaining GDPR for Web Applications
- White Paper - Planning Your Next PHP Migration
- Solution - Zend PHP Consulting Services
- Solution - Zend PHP Security and Consulting Services