The Open Source Technology Improvement Fund (OSTIF) is proud to share the results of our documentation audit of PHP. Specifically, the open source implementation of the interpreter for the PHP scripting language, which is popular in use for web development. As a result of this collaboration with OSTIF, Quarkslab, and The PHP Foundation, PHP was able to improve its documentation for future software development.
Audit Process:
This documentation audit was additional work to the security audit of PHP, also conducted by Quarkslab in collaboration with OSTIF. The work was scoped down (as the documentation of PHP is expansive) to the following priorities: first filesytem and cryptography, followed by user-comment code snippets. See the documentation report for the specific pages audited. What else was able to be reviewed was done on a time permitting basis.
Audit Results:
Quarkslab identified 81 findings with security relevance over the 10 labor days of auditing. None of these findings received a severity rating. The PHP maintainer team still worked to resolve and incorporate fixes for many of the findings into their documentation, improving its quality and resiliency. Fixes were then verified by the Quarkslab engineers. Please see the report appendix for further details on findings in the report.
Thank you to the individuals and groups that made this engagement possible:
- PHP maintainers and community, especially: Roman Pronskiy, Jakub Zelenka, and Gina Peter Banyard
- Quarkslab: Quarkslab team: Angèle Bossuat, Julio Loayza Meneses, Mihail Kirov, Sebastien Rolland, Ramtine Tofighi Shirazi, and Pauline Sauder
- The Sovereign Tech Agency
You can read the Audit Report HERE
You can read Quarkslab’s Blog HERE
Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, contact [email protected].
OSTIF is celebrating our 10 year anniversary! Join us for a meetup about our work, lessons learned, and where we see the future of open source security going by following our meetup calendar https://lu.ma/ostif-meetups