[Owasp-newjersey] Short course - 50% discount for OWASP members

David Goldsmith daveg at matasano.com
Tue May 1 16:38:23 EDT 2007 

Matt:

Of course, PHP is enterprise ready and of course it can be  
implemented and deployed as securely as any of the other platforms.  
That wasn't what i said at all.  I wasn't implying that PHP wasn't  
enterprise ready, but that it wasn't as common in the enterprises  
that I work with.  Even your argument of "Most large organizations  
whether they admit it or not are housing a php enabled webserver  
somewhere on their environment." supports that.

Anyways, sorry for the miscommunication...

Dave


On May 1, 2007, at 3:53 PM, Matt Joyce wrote:

> I hate to get baited by an obvious troll.  But to suggest PHP is less
> secure or less enterprise ready than Java for web application
> developement is downright stupid.  Nothing in terms of real factual
> information would support this sort of claim.  Now I will acknowledge
> you have a subjective right to your own opinion.  But you cannot deny
> that PHP usage has exceeded 50% of forward facing web sites.  Most  
> large
> organizations whether they admit it or not are housing a php enabled
> webserver somewhere on their environment.  And not since the days of
> php3 has anyone had a bad word to say about them.  In fact last I
> checked Caucho Resin was compiling in the background to java byte- 
> code.
> A lot of J2EE shops have PHP webservers integrated in their  
> environment.
> I've worked on a live currency exchange apps backend that relied on  
> J2EE
> for the live trading clusters but served up web applications  
> related to
> the company and the software using php4.  JSP isn't very friendly  
> to the
> standardized foward facing web developement cycle.  I say this because
> most graphic artists and designers are outputting their templates and
> story boards using smarty style templating... simply because it's what
> they know and what's been showing up in the industry more.  I've  
> yet to
> meet a layout designer that was actually familiar with jsp.
>
> Web app developement is not the same as network app developement or  
> app
> developement in general.  It has different needs.  Especially since a
> whole range of web apps are foward facing.
>
> Additionally PHP5 finally has secured many of the security benefits of
> true object oriented programming without the nasty overhead of the JVM
> or the chronically broken world of non standardized broken ass  
> application
> servers that should be unmade such as weblogic and websphere.  Toss in
> suhosin on top of that... and the lighttpd integration and wow... PHP5
> is a simple fast and relatively secure language.  Flex Integration is
> additionally redefining the industry.
>
> But at the end of the day all of this is really a moot point.   
> Since the
> overwhelming majority of web applications are written by people with
> little to no formal education or experience in object oriented design
> much less secure coding practices.  So regardless of features and
> functionality you have to expect that your developement team is  
> handing
> you a pile of crap to put onto the internet and be completely exposed.
> Thus auditing and "secure" environments.  PHP has suhosin, plus the
> advantages of Zend monitoring if you happen to have the money handy.
> Additionally php modules such as xdebug can be used to trace php
> threads.
>
> As far as security goes.  PHP is by no means all that bad.  You just
> need to read the manual, understand the equipment you are working  
> with,
> and take advantage of it's greatest assets.
>
> I additionally have found that 1 in 10 IIS boxes have been configured
> well.  And 1 in 10 of the apps installed on them are actually well
> written.  The remaining 9 are generally laughably to frighteningly
> misconfigured and running apps that should be used as an example of  
> what
> not to do when you get out of college.  Any argument thrown at PHP can
> be thrown at ASP.NET and at least PHP has the benefit of relying on
> software that's well written and industry proven.
>
> There's a reason the apache webserver is ruling the internet.
>
> Or is someone going to attempt to cite cowboy-7350?
>
> I think if we get into a fight over this OWASP is simply going to have
> to do a web app CTF tournament.  And we'll see whose right about what.
>
> Money where your mouth is boys.
>
> -Matt Joyce
>
> PHP Usage Stats:
>
> http://www.php.net/usage.php
> http://www.nexen.net/chiffres_cles/phpversion/16814- 
> php_stats_evolution_for_march_2007.php
>
>
> On Tue, May 01, 2007 at 03:03:20PM -0400, David Goldsmith wrote:
>> James:
>>
>> Not sure I would go as far as to say you shouldn't write applications
>> in PHP because of security concerns but I would think that .NET
>> (ASP.NET et al) would be more important to talk about than PHP.
>>
>> At least, that's what I see with our enterprise customers...
>>
>> Cheers,
>>
>> Dave G.
>>
>> ---
>> <daveg at matasano.com>
>> Matasano Security LLC
>> Matasano Team Blog: http://www.matasano.com/log
>>
>> On May 1, 2007, at 2:13 PM, James Landis wrote:
>>
>>> I should know better than to respond to advertising, but I just
>>> couldn't help but take issue with the following statement:
>>>
>>> "The course will have emphasis on writing secure distributed  
>>> programs
>>> in Java, Standard Edition (Java SE), Java, Enterprise Edition (Java
>>> EE), and PHP, which are the de facto standard languages for  
>>> modern Web
>>> applications."
>>>
>>> I wouldn't argue with Java being a standard for modern Web apps, but
>>> PHP? I love PHP and everything, but it's hardly a standard. In  
>>> fact, I
>>> would never recommend that the average developer build an app in PHP
>>> because it's simply way too easy to make security mistakes.
>>>
>>> -j
>>>
>>> On 5/1/07, Nasir Memon <memon at poly.edu> wrote:
>>>> Hello,
>>>>  The Center for Advanced Telecommunication Technology (CATT) at
>>>> Polytechnic
>>>> University, Brooklyn, is offering a 50% discount rate to OWASP
>>>> members for
>>>> the following course at their Brooklyn campus. "Writing Secure
>>>> Code for
>>>> Today's Web Application Security". More information can be found at
>>>> http://catt.poly.edu/details_shortcourses.php?event_id=31. If you
>>>> are an
>>>> OWASP member, please include this information in the comments  
>>>> field.
>>>>
>>>> Best regards,
>>>> Nasir Memon
>>>>
>>>>
>>>> ------------------------------------------------------------------- 
>>>> --
>>>> -------
>>>> --------------------------
>>>> Nasir Memon                                                    
>>>> Phone:
>>>> 718-260-3970
>>>> Polytechnic University                                  Fax:
>>>> 718-260-3609
>>>> Computer Science Dept                                 CS Dept.  
>>>> Phone:
>>>> 718-260-3440
>>>> Six MetroTech Center                                    Email:
>>>> memon at poly.edu, AIM: evilproffy
>>>> Brooklyn, NY 11201                                      Web:
>>>> http://isis.poly.edu/memon
>>>> ------------------------------------------------------------------- 
>>>> --
>>>> -------
>>>> -----------------------------
>>>>
>>>>
>>>> _______________________________________________
>>>> Owasp-newjersey mailing list
>>>> Owasp-newjersey at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-newjersey
>>>>
>>> _______________________________________________
>>> Owasp-newjersey mailing list
>>> Owasp-newjersey at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-newjersey
>>
>> _______________________________________________
>> Owasp-newjersey mailing list
>> Owasp-newjersey at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-newjersey
> _______________________________________________
> Owasp-newjersey mailing list
> Owasp-newjersey at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-newjersey

More information about the Owasp-nynjmetro mailing list