The PHP: Hypertext Preprocessor scripting language remains as popular today as it has been since its debut in 1994. Developers turn to PHP for its simplicity and flexibility. According to W3Techs, PHP is used today for server-side programming by nearly 78 percent of websites, including big names like Facebook, Zoom, and Wikipedia.
However, not all websites that rely on PHP use the latest and most secure version. In fact, only three percent of websites use version 8 (including 8.0, 8.1, or 8.2), the only fully supported version of PHP today. The rest are running on older versions, many of which have no security support at all.
Even those sites running on version 7.4 – the only earlier version still receiving security support -- will be at elevated risk once that support sunsets on November 28, 2022.
As Hannah Booth, a PHP security expert notes, “Some, possibly most, security threats for sites relying on PHP are directly caused by developers working with outdated and unsupported versions of the tool.”
What are some of the risks faced by websites relying on older, outdated versions of PHP? XSS, remote file inclusion, and outdated components are just a few of the most common threats.
Ignoring these vulnerabilities exposes a site to a variety of very undesirable outcomes, including:
But the situation isn’t hopeless. There are straightforward steps companies can take to mitigate these security risks. It starts by moving developers to the most up-to-date version of PHP. At the very least, leaders should ensure their teams are using a version of PHP that will still receive security support for the foreseeable future.
There’s another equally important way to build stronger security into every line of code. Developers must understand the threats inherent in PHP, then learn how to mitigate those threats through defensive coding strategies to prevent attacks in the first place.
Our new PHP Green Belt path can help development teams achieve these security goals. The program includes 14 lessons to help developers – or anyone that wants to expand their knowledge – become PHP security champions.
Each lesson is short with a laser focus, so learners can move along the path in small chunks that fit around their other responsibilities. It is easy to quickly fill gaps in a developer’s day, like those that occur while code is deploying.
Learners demonstrate their mastery of each topic with a brief, ten-question assessment at the end of each lesson. Some of the content you’ll find in the program includes:
Our all-new PHP Green Belt path works in conjunction with our existing 13-lesson Secure Development Core Lesson Module. Together, the two programs build upon our White Belt foundation to code safer websites and apps.