Suhosin, the popular PHP hardening extension, is back!
Why do we need Suhosin-NG?
During our pentesting and auditing services we regularly encounter vulnerabilities in web applications that could have been mitigated simply by better configuring the PHP environment or by deactivating a few function calls here and there. Just like the original Suhosin for PHP5 did a few years ago, we are still looking for a way to help protect PHP 7 setups.
What do we want to achieve?
The ultimate goal of the Suhosin-NG project is to enable most people runinng PHP 7 to run their web applications in the most secure environment possible without becoming experts in IT security.
How can this be done?
A detailed project plan is available on the Github Project page.
When can we expect some results?
Suhosin-NG is not our only project. We will try to spend a few days each month analyzing, programming and tweaking. The result will eventually be available as open source software. All major work should be done by mid-2020. In the meantime there will be regular updates on our Suhosin-NG News Site as well as on Twitter every couple of weeks.
What can I do?
Suhosin-NG will be made possible by combining a lot of people's ideas. Some ideas have been collected after encountering various attack vectors, other ideas come from reading security related news articles or simply by talking to likeminded people at conferences and meetups. If you have any suggestions, please feel free to leave a comment in the Github Issue Tracker of type "Feature Request" or just open a "regular issue".
Details are outlined on the Suhosin-NG News Site.