[Owasp-newjersey] Short course - 50% discount for OWASP members
Matt Joyce
mjoyce at aculei.net
Tue May 1 17:41:05 EDT 2007
On Tue, May 01, 2007 at 05:19:33PM -0400, James Landis wrote:
> Matt,
> You are pretty passionate about PHP. First I will say that I agree
> with you that it doesn't matter all that much what platform you give
> an inexperienced developer to work with; he's going to make security
> mistakes. However, the platform can do a lot to control the exposure
> of those mistakes.
Accepted. And I am not supremely passionate about PHP so much as I am
dispassionate towards nay sayers.
> I certainly can deny that PHP usage has exceeded 50% of forward-facing
> Web sites. In fact, the very article that you cite refutes that
> (suggesting PHP is installed on closer to 33%). Whether or not the
> site is actually using the PHP engine or it just got installed with
> Apache is another question entirely. However, 33% hardly qualifies as
> a de facto standard.
Yeah I misread the graph in my haste to not waste time on this pursuit.
33% exceeds qualification for a de facto standard.
>
> That is of course completely irrelevant to the question of whether PHP
> is enterprise-ready, it's simply an appeal to the majority. You say
> that no one has had anything bad to say about PHP since PHP3. However,
> register globals wasn't even disabled by default until 4.2.
>
No it is not completely irrelevant if you acknowledge the value of your
peers. A large market share indicates a large number of IT
professionals (some more than others) believe PHP to be enterprise
ready and have deployed it.
A number of companies make their bread and butter selling PHP centric
web applications.
> You say you've never met a designer familiar with JSP. How many do you
> know that know PHP? Do you really want your designers writing your
> application-tier code, anyway?
LAMP application developers are a dime a dozen and most decent designers
I have worked with are decent because they bother to get into this stuff
on their own time. While I personally have no love for joe LAMP
deployment, I am willing to accept the value it has in the developement
of necessary technical skills in a GUI designer for any web app.
Additionally I do want my designers having an eye towards the backend
development process and systems support. It will make it easier for
everyone to work together and communicate. Obviously not forcing
designers to learn a custom templating engine and relying on a popular
one makes a lot of sense. And since most decent web applications rely
on templating for seperation of application logic and looks / feel /
localization / whitefacing / what have you... this is certainly a
benefit in my eyes.
> It is difficult to cite accurate statistics about the relative
> security of the two platforms because there really are no good metrics
> out there. You can't point to the number of published vulns sorted by
> platform because it's much easier to find problems in open-source apps
> than closed-source commercial apps, and the distribution there is
> hardly uniform between the two. You can't point to the install base.
> You can't point to the enterprise adoption rate. (How much sense has
> corporate IT spending made in the last 10 years?)
Figures never lie, but liars figure. Yeah it's hard to say which is
more secure than the other. That wasn't the thrust of my argument
really. I did point out some of the major security features of PHP so
that you might gain a better understanding of just how PHP is generally
secured in todays web environments. If you'd like to get in depth on
this line of discussion I would suggest we choose some topics of
interest to focus on lest we get lost on tangetial tirades.
> So what can you point to? What are you left with other than your own
> experience? In my experience, having built applications in PHP4, J2EE,
> ASP (C# and classic), and pen-tested pretty much everything under the
> sun, Java and C# apps are clearly the easiest to secure and to vet for
> security.
And I call shenanigans. Additionally there is a lot more to security
than the application itself. Isolating applications, controlling the
way they execute on a host and what resources are available to them all
factor into security. In that regard C# and Java are generally a pain
in the ass to "secure" since security relies on network isolation. Do
Java and C# have a more robust and complete object oriented language
set? yes. Does Java have some really great classes for encryption?
Sure. So does php. And PHP5 is a hairs breath shy of object oriented
completeness.
In my pen testing and administrative experience... Java web app
developers are the most likely to attempt to impliment their own custom
shite encryption methods and dump pre auth logic into javascript. C#
developers are the most likely not to understand how their backend
database works and leave their apps open to fifteen different types of
SQL injection. And PHP developers are the ones most likely to install a
bunch of apps they don't need and never update any of them. That's my
experince. It's completely irrelevant to the discussion but while we're
sharing I figured I'd mention it.
What specific security functionality within C# and / or Java exceeds
that offered by a well configured PHP environment?
> PHP doesn't have the same enterprise adoption rate, which means less
> money invested, fewer tools, and fewer experts. This says nothing
> about the security of the platform itself, but does it does raise the
> bar from an enterprise security perspective. You mentioned that most
> companies have PHP apps that they don't even know about. If they don't
> know about them, how important are they to the success of the
> business? Corporate is putting its money where its mouth is. If PHP
> had as strong a story as you suggest, I'm sure you'd have no trouble
> making billions in the software development/refactoring business to
> get all those J2EE apps ported over to PHP and the developers
> retrained.
That's bull. Java's adoption rate is incredibly low outside of fortune
500s because no one can afford to legally support it. I've worked for
mid range businesses running java on their backend. And if the BSA ever
auditted them it would bankrupt them. Additionally the hardware
requirements for stable java deployment far exceed that of C# or PHP.
What's worse is Java tends to rely heavily on oracle.
> I'm sure this isn't the first debate on the relative security of
> application platforms, and I'm sure it won't be the last. As far as
> I'm concerned, there is no application framework that exists that will
> protect developers from even 50% of the vulnerabilities they can
> introduce with their own code. Until that happens, it probably doesn't
> make a whole lot of difference which platform you choose.
> -j
I don't see much of an argument coming from you. I understand you have
your opinions and experiences but I'd like to see a more formalized
communication of why PHP is inferior. With specific scenarios and logic
as to why. I'll try not to be hasty in my responses. Because if I
don't proof read I tend to be heard to read.
I accept you have experience that may outweigh mine. And I want to hear
your opinion. But it carries no weight if it's not backed up by a clear
and logical argument. And that's just wasted inbox space.
Additionally... I bet you use emacs. You sound like a dirty emacs user
to me.
-matt
> On 5/1/07, Matt Joyce <mjoyce at aculei.net> wrote:
> >I hate to get baited by an obvious troll. But to suggest PHP is less
> >secure or less enterprise ready than Java for web application
> >developement is downright stupid. Nothing in terms of real factual
> >information would support this sort of claim. Now I will acknowledge
> >you have a subjective right to your own opinion. But you cannot deny
> >that PHP usage has exceeded 50% of forward facing web sites. Most large
> >organizations whether they admit it or not are housing a php enabled
> >webserver somewhere on their environment. And not since the days of
> >php3 has anyone had a bad word to say about them. In fact last I
> >checked Caucho Resin was compiling in the background to java byte-code.
> >A lot of J2EE shops have PHP webservers integrated in their environment.
> >I've worked on a live currency exchange apps backend that relied on J2EE
> >for the live trading clusters but served up web applications related to
> >the company and the software using php4. JSP isn't very friendly to the
> >standardized foward facing web developement cycle. I say this because
> >most graphic artists and designers are outputting their templates and
> >story boards using smarty style templating... simply because it's what
> >they know and what's been showing up in the industry more. I've yet to
> >meet a layout designer that was actually familiar with jsp.
> >
> >Web app developement is not the same as network app developement or app
> >developement in general. It has different needs. Especially since a
> >whole range of web apps are foward facing.
> >
> >Additionally PHP5 finally has secured many of the security benefits of
> >true object oriented programming without the nasty overhead of the JVM
> >or the chronically broken world of non standardized broken ass application
> >servers that should be unmade such as weblogic and websphere. Toss in
> >suhosin on top of that... and the lighttpd integration and wow... PHP5
> >is a simple fast and relatively secure language. Flex Integration is
> >additionally redefining the industry.
> >
> >But at the end of the day all of this is really a moot point. Since the
> >overwhelming majority of web applications are written by people with
> >little to no formal education or experience in object oriented design
> >much less secure coding practices. So regardless of features and
> >functionality you have to expect that your developement team is handing
> >you a pile of crap to put onto the internet and be completely exposed.
> >Thus auditing and "secure" environments. PHP has suhosin, plus the
> >advantages of Zend monitoring if you happen to have the money handy.
> >Additionally php modules such as xdebug can be used to trace php
> >threads.
> >
> >As far as security goes. PHP is by no means all that bad. You just
> >need to read the manual, understand the equipment you are working with,
> >and take advantage of it's greatest assets.
> >
> >I additionally have found that 1 in 10 IIS boxes have been configured
> >well. And 1 in 10 of the apps installed on them are actually well
> >written. The remaining 9 are generally laughably to frighteningly
> >misconfigured and running apps that should be used as an example of what
> >not to do when you get out of college. Any argument thrown at PHP can
> >be thrown at ASP.NET and at least PHP has the benefit of relying on
> >software that's well written and industry proven.
> >
> >There's a reason the apache webserver is ruling the internet.
> >
> >Or is someone going to attempt to cite cowboy-7350?
> >
> >I think if we get into a fight over this OWASP is simply going to have
> >to do a web app CTF tournament. And we'll see whose right about what.
> >
> >Money where your mouth is boys.
> >
> >-Matt Joyce
> >
> >PHP Usage Stats:
> >
> >http://www.php.net/usage.php
> >http://www.nexen.net/chiffres_cles/phpversion/16814-php_stats_evolution_for_march_2007.php
> >
> >
> >On Tue, May 01, 2007 at 03:03:20PM -0400, David Goldsmith wrote:
> >> James:
> >>
> >> Not sure I would go as far as to say you shouldn't write applications
> >> in PHP because of security concerns but I would think that .NET
> >> (ASP.NET et al) would be more important to talk about than PHP.
> >>
> >> At least, that's what I see with our enterprise customers...
> >>
> >> Cheers,
> >>
> >> Dave G.
> >>
> >> ---
> >> <daveg at matasano.com>
> >> Matasano Security LLC
> >> Matasano Team Blog: http://www.matasano.com/log
> >>
> >> On May 1, 2007, at 2:13 PM, James Landis wrote:
> >>
> >> > I should know better than to respond to advertising, but I just
> >> > couldn't help but take issue with the following statement:
> >> >
> >> > "The course will have emphasis on writing secure distributed programs
> >> > in Java, Standard Edition (Java SE), Java, Enterprise Edition (Java
> >> > EE), and PHP, which are the de facto standard languages for modern Web
> >> > applications."
> >> >
> >> > I wouldn't argue with Java being a standard for modern Web apps, but
> >> > PHP? I love PHP and everything, but it's hardly a standard. In fact, I
> >> > would never recommend that the average developer build an app in PHP
> >> > because it's simply way too easy to make security mistakes.
> >> >
> >> > -j
> >> >
> >> > On 5/1/07, Nasir Memon <memon at poly.edu> wrote:
> >> >> Hello,
> >> >> The Center for Advanced Telecommunication Technology (CATT) at
> >> >> Polytechnic
> >> >> University, Brooklyn, is offering a 50% discount rate to OWASP
> >> >> members for
> >> >> the following course at their Brooklyn campus. "Writing Secure
> >> >> Code for
> >> >> Today's Web Application Security". More information can be found at
> >> >> http://catt.poly.edu/details_shortcourses.php?event_id=31. If you
> >> >> are an
> >> >> OWASP member, please include this information in the comments field.
> >> >>
> >> >> Best regards,
> >> >> Nasir Memon
> >> >>
> >> >>
> >> >> ---------------------------------------------------------------------
> >> >> -------
> >> >> --------------------------
> >> >> Nasir Memon Phone:
> >> >> 718-260-3970
> >> >> Polytechnic University Fax:
> >> >> 718-260-3609
> >> >> Computer Science Dept CS Dept. Phone:
> >> >> 718-260-3440
> >> >> Six MetroTech Center Email:
> >> >> memon at poly.edu, AIM: evilproffy
> >> >> Brooklyn, NY 11201 Web:
> >> >> http://isis.poly.edu/memon
> >> >> ---------------------------------------------------------------------
> >> >> -------
> >> >> -----------------------------
> >> >>
> >> >>
> >> >> _______________________________________________
> >> >> Owasp-newjersey mailing list
> >> >> Owasp-newjersey at lists.owasp.org
> >> >> https://lists.owasp.org/mailman/listinfo/owasp-newjersey
> >> >>
> >> > _______________________________________________
> >> > Owasp-newjersey mailing list
> >> > Owasp-newjersey at lists.owasp.org
> >> > https://lists.owasp.org/mailman/listinfo/owasp-newjersey
> >>
> >> _______________________________________________
> >> Owasp-newjersey mailing list
> >> Owasp-newjersey at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-newjersey
> >_______________________________________________
> >Owasp-newjersey mailing list
> >Owasp-newjersey at lists.owasp.org
> >https://lists.owasp.org/mailman/listinfo/owasp-newjersey
> >
> >
More information about the Owasp-nynjmetro
mailing list