Andi Gutmans on PHP, Cloud Computing and Security
Zend builds Zend Server, Zend Server in the Cloud, Zend Unlimited, Zend Framework, Zend Studio, Zend Developer Edition, Zend Developer Cloud, Zend Guard in addition to the popular PHP framework which powers nearly millions of sites and blogs across the web.
In an exclusive interview to InfoQ, Andi Gutmans, CEO and Co-founder, Zend shares his views about cloud computing, various aspects related to PHP including security and the course of action which needs to be taken to protect your site from hackers.
InfoQ: Can you explain the meaning of cloud computing in simple words?
There are so many different options within the world of cloud computing (SaaS, Iaas, Paas) so there’s no one easy answer to this one. For most developers what cloud means is self-service development environments (which means no wasting time installing, configuring and managing your development environment), and a frictionless path to ease the handoffs and collaboration between development, test, and production.
At Zend, we offer a free development environment (the Zend Developer Cloud), and one of the elements that our users tell us they most appreciate is the ability to share snapshots of their stack and code with other developers. That easy sharing thought is a big aspect of many cloud solutions.
InfoQ: Do you think the world has completely utilized the potential of cloud computing?
Absolutely not, we are only at the beginning of taking advantage of the potential of cloud computing. There is a lot of change yet to come in how companies embrace Platform as a Service in particular. This is because leveraging pre-built infrastructure allows more focus on what matters - the apps themselves. A lot of applications are also going to move in the future to SaaS, which in turn will drag along an increased usage of IaaS and PaaS also to support those apps.
InfoQ: From your point of view, how can cloud computing benefit end users?
It will be easier for application owners to deliver application level SLAs around end user response time and availability by leveraging cloud computing. The agility of cloud computing is also going to enable companies to innovate faster - thus providing more end user value.
InfoQ: Can you share with us how developers managed projects prior to the evolution of cloud computing?
Prior to cloud computing it was a lot more difficult for developers to implement an agile development process - as a result they had to either work harder to create that flexibility in a non-cloud environment, or deal with a lack of development agility.
InfoQ: From your point of view, which cloud platform is beneficial and less vulnerable - Windows Azure, PHP or Java based?
Well, went it comes to security there is a lot that goes into the security of an application - language runtime security, development best practices, physical security, network security, access control, and several others.
One important point is whatever language you choose, it is important to look for the vendors who are fastest at responding to issues (the reality is that you can never avoid all language issues occurring). For example, recently the PHP community has been faster to respond to security issues than the Java community has been.
However, it is also important to remember that the primary challenge that deserves a dev team’s focus is the application code itself, as this is where vulnerabilities are most likely to be introduced. Taking advantage of frameworks, code audits, and training are the 3 most common ways to mitigate this risk.
InfoQ: How do you see the potential of cloud computing after 2030?
We probably have a different iteration of cloud computing possibly under a different name by then, but the core advantages of scale and agility will clearly continue to exist, and drive broad adoption.
InfoQ: Do you think data passed through cloud computing platform will be secure?
There is a lot of innovation in the cloud data security space right now. Long term, we believe data in the cloud can be just as secure as on premise if not more secure. The economies of scale that companies see in the cloud in the areas of scalability and cost today, can be expanded to economies of scale leveraging the security expertise of large companies like Microsoft, Google and Amazon in the future. It is unlikely that any small company or organization will be able to invest in infrastructure security at the depth and level of detail that these players will be able to.
InfoQ: Can you share with us the role of PHP in the development of mobile apps?
In our experience, PHP is being chosen more than any other language for the back–end of mobile apps. In fact, based on Evans Data surveys, 75% of dynamic language developers who are working on mobile apps choose PHP. Plus, our own Zend surveys show that over 90% of PHP devs are already working on mobile apps. We see PHP being chosen because of its flexibility, ease of integration with existing back end systems, plus it lends itself well to an API based architecture.
InfoQ: Can you explain the role of Zend in the development of PHP applications?
Zend continues to be a significant contributor to the PHP language. The Zend Engine, which is the core of PHP, continues to be maintained by Zend. We also just recently contributed bytecode caching technology which will be shipping as part of PHP 5.5. Contributing as part of the PHP community continues to be important to Zend and we also contribute to other open source projects including Eclipse PDT and Zend Framework.
Zend’s successful commercial offering, the Zend Server Application Platform, leverages the same open source PHP, but adds additional capabilities around auto-scaling, session clustering/failover, as well as monitoring of your PHP apps so you can be alerted to and hopefully avoid the most common application issues.
InfoQ: Developers often report severe vulnerabilities in PHP from time to time. Can you share with us the security measures that are planned to be implemented in the upcoming releases to harden PHP and also to protect the site from hackers?
The PHP security response team continues to collaborate with a variety of large vendors and security researchers to pinpoint and address emerging security issues. The PHP application frameworks are all also trying to address this issue by enhancing the best practices within each framework.
InfoQ: In my state, Kerala, India, most of the local Government department websites are developed using PHP. Recently, many of these sites are hacked. Can you share with us the steps needed to be taken to prevent such incidents in future?
I recommend starting with an application audit. Nothing can help as much as having an expert from the outside look at your application code. The second point would be to become close to at least one of the major PHP frameworks (Zend Framework, CakePHP, Syfomy) - each of these has an ongoing focus on attacking the latest issues so it is helpful to stay closely in touch with their latest updates.
Lastly, there are some great security training classes out there - developers need ongoing web security training to understand how to implement the latest best practices, which are constantly being updated.
Security in the cloud
This is another interesting article that discusses Cloud security in detail.
Delivering Performance Under Schedule and Resource Pressure: Lessons Learned at Google and Microsoft
Ivan Filho Mar 06, 2014
Andrew Stellman Mar 06, 2014