In Defence of PHP - Stephen Rees-Carter - NDC Security 2023

Discover why PHP's reputation is undeserved and how modern PHP frameworks, tools, and best practices make it a secure choice for building robust web applications.

Key takeaways
  1. PHP’s Unfair Reputation: PHP has been unfairly attacked and criticized, often due to its legacy code and outdated tutorials.

  2. Modern PHP is Secure: Modern PHP frameworks and tools provide robust security features, making it easy to build secure applications.

  3. Composer Package Manager: Composer revolutionized PHP package management, enabling easy dependency management and security updates.

  4. PHP Framework Interoperability Group (PHP Fig): PHP Fig promotes interoperability and best practices among PHP frameworks, leading to more secure and consistent code.

  5. Content Security Policy (CSP): Modern PHP frameworks make it easy to implement CSP, protecting against cross-site scripting (XSS) attacks.

  6. CSRF Protection: Laravel and other frameworks provide built-in CSRF protection, preventing unauthorized actions from being performed.

  7. Input Validation and Sanitization: PHP’s filter_input function and other tools simplify input validation and sanitization, reducing the risk of injection attacks.

  8. Secure Password Handling: Modern PHP frameworks offer secure password hashing and storage mechanisms, preventing password breaches.

  9. Active Security Community: PHP has an active security community that continuously works on identifying and fixing vulnerabilities, ensuring ongoing security improvements.

  10. Legacy Code Challenges: While modern PHP is secure, legacy code and outdated applications can introduce vulnerabilities. Regular updates and security audits are crucial for maintaining security.