[Owasp-newjersey] Short course - 50% discount for OWASP members

Matt Joyce mjoyce at aculei.net
Tue May 1 15:53:03 EDT 2007 

I hate to get baited by an obvious troll.  But to suggest PHP is less
secure or less enterprise ready than Java for web application
developement is downright stupid.  Nothing in terms of real factual
information would support this sort of claim.  Now I will acknowledge
you have a subjective right to your own opinion.  But you cannot deny
that PHP usage has exceeded 50% of forward facing web sites.  Most large
organizations whether they admit it or not are housing a php enabled
webserver somewhere on their environment.  And not since the days of
php3 has anyone had a bad word to say about them.  In fact last I
checked Caucho Resin was compiling in the background to java byte-code.
A lot of J2EE shops have PHP webservers integrated in their environment.
I've worked on a live currency exchange apps backend that relied on J2EE
for the live trading clusters but served up web applications related to
the company and the software using php4.  JSP isn't very friendly to the
standardized foward facing web developement cycle.  I say this because
most graphic artists and designers are outputting their templates and
story boards using smarty style templating... simply because it's what
they know and what's been showing up in the industry more.  I've yet to
meet a layout designer that was actually familiar with jsp.

Web app developement is not the same as network app developement or app
developement in general.  It has different needs.  Especially since a
whole range of web apps are foward facing.
  
Additionally PHP5 finally has secured many of the security benefits of
true object oriented programming without the nasty overhead of the JVM
or the chronically broken world of non standardized broken ass application
servers that should be unmade such as weblogic and websphere.  Toss in
suhosin on top of that... and the lighttpd integration and wow... PHP5
is a simple fast and relatively secure language.  Flex Integration is
additionally redefining the industry.  

But at the end of the day all of this is really a moot point.  Since the
overwhelming majority of web applications are written by people with
little to no formal education or experience in object oriented design
much less secure coding practices.  So regardless of features and
functionality you have to expect that your developement team is handing
you a pile of crap to put onto the internet and be completely exposed.
Thus auditing and "secure" environments.  PHP has suhosin, plus the
advantages of Zend monitoring if you happen to have the money handy.
Additionally php modules such as xdebug can be used to trace php
threads.  

As far as security goes.  PHP is by no means all that bad.  You just
need to read the manual, understand the equipment you are working with,
and take advantage of it's greatest assets.

I additionally have found that 1 in 10 IIS boxes have been configured
well.  And 1 in 10 of the apps installed on them are actually well
written.  The remaining 9 are generally laughably to frighteningly
misconfigured and running apps that should be used as an example of what
not to do when you get out of college.  Any argument thrown at PHP can
be thrown at ASP.NET and at least PHP has the benefit of relying on
software that's well written and industry proven.  

There's a reason the apache webserver is ruling the internet.  

Or is someone going to attempt to cite cowboy-7350?  

I think if we get into a fight over this OWASP is simply going to have
to do a web app CTF tournament.  And we'll see whose right about what.

Money where your mouth is boys.

-Matt Joyce

PHP Usage Stats:

http://www.php.net/usage.php
http://www.nexen.net/chiffres_cles/phpversion/16814-php_stats_evolution_for_march_2007.php


On Tue, May 01, 2007 at 03:03:20PM -0400, David Goldsmith wrote:
> James:
> 
> Not sure I would go as far as to say you shouldn't write applications  
> in PHP because of security concerns but I would think that .NET  
> (ASP.NET et al) would be more important to talk about than PHP.
> 
> At least, that's what I see with our enterprise customers...
> 
> Cheers,
> 
> Dave G.
> 
> ---
> <daveg at matasano.com>
> Matasano Security LLC
> Matasano Team Blog: http://www.matasano.com/log
> 
> On May 1, 2007, at 2:13 PM, James Landis wrote:
> 
> > I should know better than to respond to advertising, but I just
> > couldn't help but take issue with the following statement:
> >
> > "The course will have emphasis on writing secure distributed programs
> > in Java, Standard Edition (Java SE), Java, Enterprise Edition (Java
> > EE), and PHP, which are the de facto standard languages for modern Web
> > applications."
> >
> > I wouldn't argue with Java being a standard for modern Web apps, but
> > PHP? I love PHP and everything, but it's hardly a standard. In fact, I
> > would never recommend that the average developer build an app in PHP
> > because it's simply way too easy to make security mistakes.
> >
> > -j
> >
> > On 5/1/07, Nasir Memon <memon at poly.edu> wrote:
> >> Hello,
> >>  The Center for Advanced Telecommunication Technology (CATT) at  
> >> Polytechnic
> >> University, Brooklyn, is offering a 50% discount rate to OWASP  
> >> members for
> >> the following course at their Brooklyn campus. "Writing Secure  
> >> Code for
> >> Today's Web Application Security". More information can be found at
> >> http://catt.poly.edu/details_shortcourses.php?event_id=31. If you  
> >> are an
> >> OWASP member, please include this information in the comments field.
> >>
> >> Best regards,
> >> Nasir Memon
> >>
> >>
> >> --------------------------------------------------------------------- 
> >> -------
> >> --------------------------
> >> Nasir Memon                                                   Phone:
> >> 718-260-3970
> >> Polytechnic University                                  Fax:  
> >> 718-260-3609
> >> Computer Science Dept                                 CS Dept. Phone:
> >> 718-260-3440
> >> Six MetroTech Center                                    Email:
> >> memon at poly.edu, AIM: evilproffy
> >> Brooklyn, NY 11201                                      Web:
> >> http://isis.poly.edu/memon
> >> --------------------------------------------------------------------- 
> >> -------
> >> -----------------------------
> >>
> >>
> >> _______________________________________________
> >> Owasp-newjersey mailing list
> >> Owasp-newjersey at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-newjersey
> >>
> > _______________________________________________
> > Owasp-newjersey mailing list
> > Owasp-newjersey at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-newjersey
> 
> _______________________________________________
> Owasp-newjersey mailing list
> Owasp-newjersey at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-newjersey

More information about the Owasp-nynjmetro mailing list