I passed the ZCE exam this morning. Wasn’t that hard of an exam, though there was lots of code reading, with little errors to detect.
The conference has been off to a slow start, but i’m in Ilia Alshanetsky’s State of PHP Security talk and it seems that were off to a good start.
The focus of the talk is on the security of the core language, the talk started with the state of PHP security at the beginning of the year. And I think the best way to sum it up is that PHP wasn’t taking a proactive enough approach. The good news is items like the Month of PHP bugs got people to react and things have gotten better.
Automated code analysis (Coverity)
Tests for all security bugs, and lots more tests in general (There is an IBM developer writing 10-20 unit tests a day).
Valgrind memory checking
Code coverage using gcov
Giving credit to security researchers
The good news is tons of vulnerabilities have been fixed in 5.2.x series. The even better news is most of the vulnerabilities aren’t easily exploitable.
The talk made me feel better about security issues overall, its all part of PHP growing up but I wish PHP would have been taking this more proactive security approach years ago.
Ilia’s slides should be available in the next couple days from his site.