Why did you start the Hardened-PHP Project?
Stefan Esser: The Hardened-PHP Project was founded in 2004 in response to a number of security bugs I found in the PHP source code. The idea of a hardened version of PHP was actually much older, but it was never implemented until 2004. The problem I saw with PHP was that often some new feature was hacked into it in a dirty way without thinking about the consequences for other areas of the code. Additionally after having fixed a number of remote exploits in CVS versions of PHP before they made it to release versions, I stopped trusting the code at all. Therefore the low-level protections like canaries, safe_unlink were implemented. Additionally it seemed a good idea to stop remote URL includes by completely forbidding them. The HTTP response splitting problem was also killed at the low level by stopping newlines in PHP's header() function. During the time more and more features made it into Hardened-PHP. [That is] until I was ordered by the PHP Group to rename my "fork" because of the PHP license. Because the PHP license actually contains such a paragraph the Patch was renamed into the Hardening-Patch for PHP, although I still don't get why they attack a PHP security extension in such a way. Later that year the Hardened-PHP Project became bigger, when two german security researchers from the PHP community joined the team. We started offering PHP security audits and PHP security courses. The two other team members finished their german PHP Security book and gave several PHP Security talks at various PHP conferences.
http://www.securityfocus.com/columnists/432
Tyrael