PHP Security for Deployers

PHP Security for Deployers
If you're a Developer
READ THIS and then work with your SysAdmins to step through any and all the layers of security designed to protect your apps.
Example:
Traffic must first pass through a SPI firewall (ensure that ONLY necessary ports/protocols are permitted; ensure that EGRESS BLOCKING is in place so that if your system IS compromised it will be very difficult for the attacker to send data back or attack someone else via the Network Layer. (Need reference; "traditional" SPI-based firewall security).
Traffic may then pass through an in-line IPS (Intrusion Prevention System) to filter out network-based attacks against the OS, web platform, or PHP framework itself
Traffic may then pass through a WAF (Web Application Firewall) such as ModSecurity or a commercial WAF to defeat basic script-based attacks
Traffic may then pass through an additional layer of security such as PHP-IDS to identify other attacks or concerns.
By the time traffic has passed through all the layers above, you've achieved a significant measure of mitigation HOWEVER you still need to follow all the best practices to "harden" PHP, perhaps by using suhosin.
Ditto for all other layers. Your SysAdmin should ensure that the OS and web server (iis, apache) are also hardened. See the NSA's security configuration guides to get started.
The rest is up to you, the developer. Write secure code. How difficult could THAT be? All it takes is a little work...
If you're a Tester
Note that PHP-IDS and ModSecuritycan also be useful tools for testing/discovering vulnerabilities in your code. See Ryan Barnett's excellent presentation to the Boulder OWASP chapter regarding using ModSecurity to identify app vulns on an ongoing basis.
Grab the OWASP LiveCD here(owasp.org) or here(appseclive.org) and review the great information in the OWASP Testing Project
If you're a SysAdmin
BE PATIENT. NOBODY was born with a visceral understanding of how to write secure code,