PHP Security Guru Quits in Disgust
German researcher Stefan Esser has quit the PHP Security Response Team in disgust, accusing the open-source group of hiding the slow response time to fixing vulnerabilities and, even worse, refusing to fix known flaws for months. |
Esser, one of the most prominent open-source security gurus, has "retired" from php@security.net -- a group he founded -- to concentrate on Suhosin, the double-barreled protection system for PHP installations.
"I have realized that any attempt to improve the security of PHP from the inside is futile. The PHP Group will jump into your boat as soon you try to blame PHP's security problems on the user but the moment you criticize the security of PHP itself you become persona non grata," Esser said in an entry. "I stopped counting the times I was called immoral traitor for disclosing security holes in PHP or for developing Suhosin."
Esser said he will no longer hide the slow response time to security holes in advisories, adding that some alerts will be published without patches available, "because the PHP Security Response Team refused to fix them for months."
"It will also mean that there will be a lot more advisories about security holes in PHP," he warned.
Esser's damning exit is a major blow for the Apache-backed PHP project, which was created in 1995 by Rasmus Lerdorf and has enjoyed startling usage growth since 1999 (Yahoo is among the high-profile early adopters).
So far, we have not heard the other side of the story -- the PHP folks have not publicly responded to Esser's criticisms -- but this can't be good for PHP users and those that make the argument that open-source, by its very nature, is much more forthcoming about defects and security problems.
Some more obvious questions are being asked over at Emergent Chaos, including:
Stefan, are you planning on providing workarounds for the advisories that don't yet have patches? How are you planning on balancing the need for users to know versus broader exposure of a weakness? What is too long? Where do you draw the line now that you've stepped further away from the project?
The good news is that, with Suhosin, Esser is offering well-maintained patches against the PHP core, helping to implement low-level protections against buffer overflows or format string vulnerabilities. He is also providing a powerful PHP extension that implements all other protections.
Esser is also continuing his work on the Hardened-PHP Project, which was co-founded with Christopher Kunz and Peter Prochaska to protect PHP users and servers against present and future security holes.
Comments (1)
We responded to Stefan's message here: http://blogs.zend.com/2006/12/15/is-stefan-esser-righteous/
Posted by Mark de Visser | December 15, 2006 4:40 PM