Security UPDATE--How to Write Secure PHP Code--March 14, 2007

PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE:

Free Brief: Personal HP Workstations = Higher ROI?

http://findtechinfo.com/bankinfo/nl/230

Messaging Security for Small and Midsized Businesses

http://www.windowsitpro.com/go/seminars/symantec/messagingsecurity/?partnerref=SECMid0314

Before your next company laptop is lost or stolen...

http://www.beachheadsolutions.com/lp12.php

CONTENTS

===========================================

IN FOCUS: How to Write Secure PHP Code NEWS AND FEATURES - Panda Software Sees Rise in Rootkits - Relative Unknowns Top Antivirus Test Chart - Microsoft Pushes Ahead with OneCare - Recent Security Vulnerabilities GIVE AND TAKE - Security Matters Blog: Gaping Hole in Wordpress - FAQ: Windows Not Ready for Daylight Savings Time - Tell Us About the Products You Love! - Share Your Security Tips PRODUCTS - NAC Appliance Gets Cheaper and Faster RESOURCES AND EVENTS FEATURED WHITE PAPER ANNOUNCEMENTS === SPONSOR: HP

======================================

Free Brief: Personal HP Workstations = Higher ROI? Discover why financial services executives get a LOT more out of their IT investments by investing in HP Personal Workstation Technology. Quickly learn how workstations ensure accuracy and security while driving down short- and long-term operating costs. This quick- read guide is a must read today. http://findtechinfo.com/bankinfo/nl/230 === IN FOCUS: How to Write Secure PHP Code

===

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Last week, I wrote about a few things you need to know about securing your PHP installations. I also pointed to several sites that offer good information about what to look out for and what configuration changes you might need to make. If you missed that article, you can read it on our Web site at the URL below. http://www.windowsitpro.com/Article/ArticleID/95404 If you have PHP installed, then obviously you're going to run PHP code. Some of that code might be written by third-party developers and some of it you might write yourself. Either way, you should learn about secure coding practices for PHP. Doing so can help you write better code and help you audit third-party code for potential problems. As an example of why the latter is important, be sure to read my blog article "Gaping Hole in Wordpress" (you can link to it from the GIVE AND TAKE section of this newsletter below) to learn about how someone slipped some "back doors" into Wordpress, which is a hugely popular PHP-based blogging platform. You can write simple scripts that audit third-party code to look for potential back doors by scanning the code for any or all of the dangerous functions I discussed last week. To help you write your own secure PHP code, I went looking for resources and found several decent Web sites that provide writing aid and some tools that look for coding vulnerabilities. The sites at the URLs below are a big help, so take some time to study them carefully. If you know of any others, send me a message with a URL and I'll share it here in the newsletter for everyone's benefit. Secure Programming in PHP http://www.cgisecurity.com/lib/php-secure-coding.html PHP - Secure coding http://www.linuxformat.co.uk/wiki/index.php/PHP_-_Secure_coding Secure Programming for Linux and Unix HOWTO, Chapter 10, Language-Specific Issues, 10.8 PHP (this pertains to Windows also) http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/php.html PHP Security Consortium's PHP Security Guide http://phpsec.org/projects/guide/ PHP Input Filter (Developer Shed's Network, PHP Scripts) http://www.scripts.com/php-scripts/security-scripts/php-input-filter/ SecurePHP Wiki http://www.securephpwiki.com/index.php/Main_Page PHP Top 5 (security problems extracted from SANS Top 20 list) http://www.owasp.org/index.php/PHP_Top_5 Top 10 ways to crash PHP http://ilia.ws/archives/5_Top_10_ways_to_crash_PHP.html Chorizo! Web Application Security Scanner http://chorizo-scanner.com/ PHP Security Scanner http://securityscanner.lostfiles.de/ === Editor's Note: Do you work in a mixed environment? Visit TechX World (first URL below) for information about Windows interoperability. The TechX World community gives you access to interoperability articles that aren't available anywhere else; news, tips, and tricks from interop experts and other users; and forums and blog posts by other community members. Join the TechX World community and sign up for the TechX Interoperability UPDATE email newsletter (second URL below). http://techxworld.com http://techxworld.com/community/reg === SPONSOR: Symantec

================================

Messaging Security for Small and Midsized Businesses Did you know that 75% of corporate intellectual property resides in email? The challenges facing this vital business application range from spam to the costly impact of downtime and the need for effective, centralized email storage systems. Join us for a free Web seminar and learn the key features of a holistic approach to managing email security, availability, and control. On-Demand Web Seminar. http://www.windowsitpro.com/go/seminars/symantec/messagingsecurity/?partnerref=SECMid0314 === SECURITY NEWS AND FEATURES

=======================

Panda Software Sees Rise in Rootkits Panda Software said that in 2006, its PandaLabs team tracked a 62 percent increase in the amount of malicious code that used rootkit technology. The figure is on track to increase even more in 2007. http://www.windowsitpro.com/Article/ArticleID/95420 Relative Unknowns Top Antivirus Test Chart In a recent test by AV Comparatives, the top three overall performers were G DATA Software AntiVirusKit, AEC TrustPort Antivirus Workstation, and Avira AntiVir Personal Edition Premium--not household names in the US. http://www.windowsitpro.com/Article/ArticleID/95390 Microsoft Pushes Ahead with OneCare In the wake of reports that its Windows Live OneCare security suite is inadequate, Microsoft announced plans to release a Live OneCare 2.0 beta soon. http://www.windowsitpro.com/Article/ArticleID/95393 Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.windowsitpro.com/departments/departmentid/752/752.html === SPONSOR: Beachhead

===============================

Before your next company laptop is lost or stolen... be sure your valuable data is protected! Lost Data Destruction (LDD) from Beachhead Solutions provides immediate and affordable protection through enterprise-controlled encryption and destruction of at-risk data. No end-user involvement to deploy or manage ensures maximum security and workforce productivity. Effective with/without internet connection. http://www.beachheadsolutions.com/lp12.php === GIVE AND TAKE

====================================

SECURITY MATTERS BLOG: Gaping Hole in Wordpress by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters If you use Wordpress, you might need to upgrade to version 2.1.2 pronto! There are a couple of huge holes in the code, apparently inserted by someone for the purpose of intrusion. http://www.windowsitpro.com/Article/ArticleID/95384 FAQ: Windows Not Ready for Daylight Savings Time by John Savill, http://www.windowsitpro.com/windowsnt20002003faq Q: What is the daylight saving time (DST) problem? Find the answer at http://www.windowsitpro.com/Article/ArticleID/95357 TELL US ABOUT THE PRODUCTS YOU LOVE! What products are you using that save you time or make your workload a little lighter? What hot product discoveries have you made that other IT pros need to know about? Let the world know about your experiences in Windows IT Pro's monthly What's Hot department. If we publish your story in What's Hot, we'll send you a Best Buy gift card! Send information about your favorite product and how it has helped you to [email protected]. SHARE YOUR SECURITY TIPS AND GET $100 Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length. === PRODUCTS

=========================================

by Renee Munshi, [email protected] NAC Appliance Gets Cheaper and Faster Nevis Networks announced LANsecure OS 3.0 for its LANenforcer network access control (NAC) appliances. Highlights of the new OS version are faster endpoint posture checks coupled with identity-based access control, a three-fold increase in user capacity on LANenforcer appliances (resulting in reduced costs), and integration with existing identity-management systems to enforce predefined application access policies to simplify administration. Prices for LANenforcer appliances start at $15,000. LANsecure OS 3.0 will be generally available March 19. For more information, go to http://www.nevisnetworks.com/ === RESOURCES AND EVENTS

=============================

For more security-related resources, visit http://www.windowsitpro.com/go/securityresources Infosecurity Europe is Europe's number-one dedicated Information Security event held 24-26 April 2007, Grand Hall, Olympia. Now in its 12th year, this event continues to provide an unrivalled education programme, new products and services, and exhibitors and visitors from every segment of the industry. For further information: http://www.infosec.co.uk/windowsitpro Get Ready for the Windows Server Longhorn Roadshow! Seize control of your Windows infrastructure with Microsoft's biggest server release since Windows 2003. Get a live, under-the-hood look at Longhorn virtualization, deployment, Web services, and breakthroughs in core reliability. This one-day event is filled with demonstrations and in-depth discussions designed for IT pros who want a deep understanding of Windows Server Longhorn. http://www.windowsitpro.com/roadshows/longhorn/?code=epromo Deploy Exchange Server 2007 Without a Hitch! This one-day technical training event teaches you how to preempt pitfalls and avoid corrupting your infrastructure. You'll learn how to effectively install, manage, and secure Exchange Server 2007 in a 64-bit environment. You'll also get a peek into the integration of Outlook, SharePoint Server 2007, and Exchange Server 2007. Register today! http://www.windowsitpro.com/roadshows/exchange2007usa/?code=epromo === FEATURED WHITE PAPER

=============================

SQL Reporting Services is an exciting way for organizations to gain access and insight into their important business data stored in SQL Server. Get an overview of how to increase your production server's performance by offloading Reporting Services to a secondary server. Download your free copy today! http://www.sqlmag.com/go/whitepapers/doubletake/sqlreporting/?code=030907featwp === ANNOUNCEMENTS

====================================

Introducing a Unique Security Resource Security Pro VIP is an online information center that delivers new articles every week on topics such as perimeter security, authentication, and system patches. Subscribers also receive tips, cautionary advice, direct access to our editors, and a host of other benefits! Order now at an exclusive charter rate and save up to $50! https://store.pentontech.com/index.cfm?s=1&promocode=eu2572us Grab Your Share of the Spotlight! Nominate yourself or a peer to become IT Pro of the Month. This is your chance to get the recognition you deserve! Winners will receive over $600 in IT resources and be featured in Windows IT Pro. It's easy to enter--we're accepting April nominations now, but only for a limited time! Submit your nomination today: http://www.windowsitpro.com/go/itpromonth

===========================================================

Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and Security Pro VIP (second URL below).

http://www.windowsitpro.com/windowssecurity

http://www.securityprovip.com

Subscribe to Security UPDATE at

http://www.windowsitpro.com/Email/Index.cfm?action=archive

Unsubscribe by clicking

http://list.windowsitpro.com/u?id=%%SUBSCRIBER_ID_TAG%%

Be sure to add [email protected] to your antispam software's list of allowed senders.

To contact us:

About Security UPDATE content -- [email protected]

About technical questions -- http://www.windowsitpro.com/forums

About your product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]

View the Windows IT Pro privacy policy at

http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.