Suhosin-NG
Harden PHP 7 and PHP 8 applications
The PHP programming language was invented by Danish programmer Rasmus Lerdorf in 1994. The language is actively used by millions of websites through popular tools such as WordPress, Owncloud and Wikimedia. Suhosin-NG (next generation) will significantly improve the security of web applications running with PHP 7, and help thwart popular web attack vectors aimed at PHP based websites. Already existing ideas from the Suhosin project for PHP 5 will be gathered in addition to implementing a number of new ideas to improve the overall security stature of PHP 7. This concerns harnessing new features of the language, mitigating security risks in the default configuration and improvements to the runtime behaviour. In practical terms the project will implement these by extending the PHP extension Snuffleupagus, that already provides a good basis for hardening PHP 7. The project's goal is to provide software and documentation for setting up a PHP 7 environment in the most secure way possible.
- The project's own website: https://github.com/sektioneins/suhosin-ng
Why does this actually matter to end users?
When you think of programming, you probably do not think of the websites and online services you use and login to everyday. Still, to make a social networking site like Facebook or a popular web content management tool like Wordpress work, users need to interact with a server that in turn should correctly access databases that hold the information needed. That is what the PHP web programming language can do and currently does for the millions of websites that use tools like Wordpress and Wikimedia.
The fact that PHP is a popular web programming language does not mean however that it entirely secure, or that it is always used with attention to security. Through the years, many web vulnerabilities have been found and attributed to bad PHP implementations or insecure default settings. Advancing the state of art in a massively used web programming language is of course non-trivial: if we want to trust some of the most visited websites and services, we should be sure that the technical backend is built securely. Suhosin is a continuous effort to update and secure new versions of PHP and guarantee that implementations leave no loose ends. Suhosin NG, which stands for Next Generation, aims to connect the work already done with a new project created from scratch to best protect PHP 7, the latest version of the web programming language.
Run by SektionEins GmbH
This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310.