[Owasp-newjersey] Short course - 50% discount for OWASP members
James Landis
jcl24 at cornell.edu
Tue May 1 17:19:33 EDT 2007
Matt,
You are pretty passionate about PHP. First I will say that I agree
with you that it doesn't matter all that much what platform you give
an inexperienced developer to work with; he's going to make security
mistakes. However, the platform can do a lot to control the exposure
of those mistakes.
I certainly can deny that PHP usage has exceeded 50% of forward-facing
Web sites. In fact, the very article that you cite refutes that
(suggesting PHP is installed on closer to 33%). Whether or not the
site is actually using the PHP engine or it just got installed with
Apache is another question entirely. However, 33% hardly qualifies as
a de facto standard.
That is of course completely irrelevant to the question of whether PHP
is enterprise-ready, it's simply an appeal to the majority. You say
that no one has had anything bad to say about PHP since PHP3. However,
register globals wasn't even disabled by default until 4.2.
You say you've never met a designer familiar with JSP. How many do you
know that know PHP? Do you really want your designers writing your
application-tier code, anyway?
It is difficult to cite accurate statistics about the relative
security of the two platforms because there really are no good metrics
out there. You can't point to the number of published vulns sorted by
platform because it's much easier to find problems in open-source apps
than closed-source commercial apps, and the distribution there is
hardly uniform between the two. You can't point to the install base.
You can't point to the enterprise adoption rate. (How much sense has
corporate IT spending made in the last 10 years?)
So what can you point to? What are you left with other than your own
experience? In my experience, having built applications in PHP4, J2EE,
ASP (C# and classic), and pen-tested pretty much everything under the
sun, Java and C# apps are clearly the easiest to secure and to vet for
security.
PHP doesn't have the same enterprise adoption rate, which means less
money invested, fewer tools, and fewer experts. This says nothing
about the security of the platform itself, but does it does raise the
bar from an enterprise security perspective. You mentioned that most
companies have PHP apps that they don't even know about. If they don't
know about them, how important are they to the success of the
business? Corporate is putting its money where its mouth is. If PHP
had as strong a story as you suggest, I'm sure you'd have no trouble
making billions in the software development/refactoring business to
get all those J2EE apps ported over to PHP and the developers
retrained.
I'm sure this isn't the first debate on the relative security of
application platforms, and I'm sure it won't be the last. As far as
I'm concerned, there is no application framework that exists that will
protect developers from even 50% of the vulnerabilities they can
introduce with their own code. Until that happens, it probably doesn't
make a whole lot of difference which platform you choose.
-j
On 5/1/07, Matt Joyce <mjoyce at aculei.net> wrote:
> I hate to get baited by an obvious troll. But to suggest PHP is less
> secure or less enterprise ready than Java for web application
> developement is downright stupid. Nothing in terms of real factual
> information would support this sort of claim. Now I will acknowledge
> you have a subjective right to your own opinion. But you cannot deny
> that PHP usage has exceeded 50% of forward facing web sites. Most large
> organizations whether they admit it or not are housing a php enabled
> webserver somewhere on their environment. And not since the days of
> php3 has anyone had a bad word to say about them. In fact last I
> checked Caucho Resin was compiling in the background to java byte-code.
> A lot of J2EE shops have PHP webservers integrated in their environment.
> I've worked on a live currency exchange apps backend that relied on J2EE
> for the live trading clusters but served up web applications related to
> the company and the software using php4. JSP isn't very friendly to the
> standardized foward facing web developement cycle. I say this because
> most graphic artists and designers are outputting their templates and
> story boards using smarty style templating... simply because it's what
> they know and what's been showing up in the industry more. I've yet to
> meet a layout designer that was actually familiar with jsp.
>
> Web app developement is not the same as network app developement or app
> developement in general. It has different needs. Especially since a
> whole range of web apps are foward facing.
>
> Additionally PHP5 finally has secured many of the security benefits of
> true object oriented programming without the nasty overhead of the JVM
> or the chronically broken world of non standardized broken ass application
> servers that should be unmade such as weblogic and websphere. Toss in
> suhosin on top of that... and the lighttpd integration and wow... PHP5
> is a simple fast and relatively secure language. Flex Integration is
> additionally redefining the industry.
>
> But at the end of the day all of this is really a moot point. Since the
> overwhelming majority of web applications are written by people with
> little to no formal education or experience in object oriented design
> much less secure coding practices. So regardless of features and
> functionality you have to expect that your developement team is handing
> you a pile of crap to put onto the internet and be completely exposed.
> Thus auditing and "secure" environments. PHP has suhosin, plus the
> advantages of Zend monitoring if you happen to have the money handy.
> Additionally php modules such as xdebug can be used to trace php
> threads.
>
> As far as security goes. PHP is by no means all that bad. You just
> need to read the manual, understand the equipment you are working with,
> and take advantage of it's greatest assets.
>
> I additionally have found that 1 in 10 IIS boxes have been configured
> well. And 1 in 10 of the apps installed on them are actually well
> written. The remaining 9 are generally laughably to frighteningly
> misconfigured and running apps that should be used as an example of what
> not to do when you get out of college. Any argument thrown at PHP can
> be thrown at ASP.NET and at least PHP has the benefit of relying on
> software that's well written and industry proven.
>
> There's a reason the apache webserver is ruling the internet.
>
> Or is someone going to attempt to cite cowboy-7350?
>
> I think if we get into a fight over this OWASP is simply going to have
> to do a web app CTF tournament. And we'll see whose right about what.
>
> Money where your mouth is boys.
>
> -Matt Joyce
>
> PHP Usage Stats:
>
> http://www.php.net/usage.php
> http://www.nexen.net/chiffres_cles/phpversion/16814-php_stats_evolution_for_march_2007.php
>
>
> On Tue, May 01, 2007 at 03:03:20PM -0400, David Goldsmith wrote:
> > James:
> >
> > Not sure I would go as far as to say you shouldn't write applications
> > in PHP because of security concerns but I would think that .NET
> > (ASP.NET et al) would be more important to talk about than PHP.
> >
> > At least, that's what I see with our enterprise customers...
> >
> > Cheers,
> >
> > Dave G.
> >
> > ---
> > <daveg at matasano.com>
> > Matasano Security LLC
> > Matasano Team Blog: http://www.matasano.com/log
> >
> > On May 1, 2007, at 2:13 PM, James Landis wrote:
> >
> > > I should know better than to respond to advertising, but I just
> > > couldn't help but take issue with the following statement:
> > >
> > > "The course will have emphasis on writing secure distributed programs
> > > in Java, Standard Edition (Java SE), Java, Enterprise Edition (Java
> > > EE), and PHP, which are the de facto standard languages for modern Web
> > > applications."
> > >
> > > I wouldn't argue with Java being a standard for modern Web apps, but
> > > PHP? I love PHP and everything, but it's hardly a standard. In fact, I
> > > would never recommend that the average developer build an app in PHP
> > > because it's simply way too easy to make security mistakes.
> > >
> > > -j
> > >
> > > On 5/1/07, Nasir Memon <memon at poly.edu> wrote:
> > >> Hello,
> > >> The Center for Advanced Telecommunication Technology (CATT) at
> > >> Polytechnic
> > >> University, Brooklyn, is offering a 50% discount rate to OWASP
> > >> members for
> > >> the following course at their Brooklyn campus. "Writing Secure
> > >> Code for
> > >> Today's Web Application Security". More information can be found at
> > >> http://catt.poly.edu/details_shortcourses.php?event_id=31. If you
> > >> are an
> > >> OWASP member, please include this information in the comments field.
> > >>
> > >> Best regards,
> > >> Nasir Memon
> > >>
> > >>
> > >> ---------------------------------------------------------------------
> > >> -------
> > >> --------------------------
> > >> Nasir Memon Phone:
> > >> 718-260-3970
> > >> Polytechnic University Fax:
> > >> 718-260-3609
> > >> Computer Science Dept CS Dept. Phone:
> > >> 718-260-3440
> > >> Six MetroTech Center Email:
> > >> memon at poly.edu, AIM: evilproffy
> > >> Brooklyn, NY 11201 Web:
> > >> http://isis.poly.edu/memon
> > >> ---------------------------------------------------------------------
> > >> -------
> > >> -----------------------------
> > >>
> > >>
> > >> _______________________________________________
> > >> Owasp-newjersey mailing list
> > >> Owasp-newjersey at lists.owasp.org
> > >> https://lists.owasp.org/mailman/listinfo/owasp-newjersey
> > >>
> > > _______________________________________________
> > > Owasp-newjersey mailing list
> > > Owasp-newjersey at lists.owasp.org
> > > https://lists.owasp.org/mailman/listinfo/owasp-newjersey
> >
> > _______________________________________________
> > Owasp-newjersey mailing list
> > Owasp-newjersey at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-newjersey
> _______________________________________________
> Owasp-newjersey mailing list
> Owasp-newjersey at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-newjersey
>
>
More information about the Owasp-nynjmetro
mailing list