[Owasp-newjersey] Short course - 50% discount for OWASP members
James Landis
jcl24 at cornell.edu
Wed May 2 21:54:45 EDT 2007
OK, picking up where we left off, now that I've had my nap.
You make a great point that what's good for enterprise doesn't really
work for a lot of the rest of the world, specifically referencing
database licensing costs and platform licenses. I'm totally with you
on that when it comes to ASP techs; that's a huge hurdle for a lot of
people, if not philosophically then monetarily. MS has done great
things with ASP.NET and the built-in filtering there, but it's far
from perfect and at the same time they do things like give away an IDE
for free that lets a developer drag-and-drop SQL injection vulns into
his application. However, you can build a solid J2EE app server on
linux/Tomcat - all of that stuff is free. I'm not sure what you mean
when you say that the BSA would kill the typical Java shop. Is it
because they're using commercial Java platforms (e.g. Macromedia JRun)
without paying for them?
The database question is a great one, though. What options are there
in the free/cheap world other than MySQL, PostgreSQL, and SQLite?
MySQL is just barely limping into the 21st century by finally
implementing stored procs. Lack of a stored proc/parameterized query
paradigm is a monster hurdle for the traditional (as I knew it) PHP
deployment model. There is a ton of bad code out there built before
people widely understood this whole SQLi thing, and the worst part is
that much of it is open source and GoogleCodeable, hence spreading
more SQLi to the copy-and-paste development camps.
I admit my open-source database development was limited to my younger,
dumber days (I'm using text files on my personal site, which is PHP by
the way), and it appears that PostgreS and SQLite are a lot better
about modeled data access than MySQL ever was. However, in my
corporate experience I don't see people using these. Yeah, the
licensing is a burden for Oracle/MSSQL/DB2/(Sybase?), but people
wouldn't pay if it didn't mean they had someone to complain to when it
broke and destroyed their data.
Businesses like transfer of risk. Why the insurance companies haven't
gotten into IT insurance yet is beyond me. Maybe all the FUD has
scared them away. That, and/or lack of actuaries. Hell, even we have
trouble creating metrics.
I'm getting off topic. I agree that talking about PHP security
features is a good idea, especially with PHP 5/6 out and people not
knowing a lot about either. You mentioned object orientation in PHP5
being almost complete. Does that mean that it's finally possible to
enforce strong typing? Has register globals been removed completely,
or is it still a feature for backwards compatibility? What about
magicquotes? Have they fixed the built-in session-management functions
with respect to session fixation, prediction, and other weaknesses?
Has anyone with credible cryptography credentials looked at the token
generation algorithm?
-j
On 5/1/07, Matt Joyce <mjoyce at aculei.net> wrote:
> On Tue, May 01, 2007 at 05:19:33PM -0400, James Landis wrote:
> > Matt,
> > You are pretty passionate about PHP. First I will say that I agree
> > with you that it doesn't matter all that much what platform you give
> > an inexperienced developer to work with; he's going to make security
> > mistakes. However, the platform can do a lot to control the exposure
> > of those mistakes.
>
> Accepted. And I am not supremely passionate about PHP so much as I am
> dispassionate towards nay sayers.
>
> > I certainly can deny that PHP usage has exceeded 50% of forward-facing
> > Web sites. In fact, the very article that you cite refutes that
> > (suggesting PHP is installed on closer to 33%). Whether or not the
> > site is actually using the PHP engine or it just got installed with
> > Apache is another question entirely. However, 33% hardly qualifies as
> > a de facto standard.
>
> Yeah I misread the graph in my haste to not waste time on this pursuit.
> 33% exceeds qualification for a de facto standard.
>
> >
> > That is of course completely irrelevant to the question of whether PHP
> > is enterprise-ready, it's simply an appeal to the majority. You say
> > that no one has had anything bad to say about PHP since PHP3. However,
> > register globals wasn't even disabled by default until 4.2.
> >
>
> No it is not completely irrelevant if you acknowledge the value of your
> peers. A large market share indicates a large number of IT
> professionals (some more than others) believe PHP to be enterprise
> ready and have deployed it.
>
> A number of companies make their bread and butter selling PHP centric
> web applications.
>
> > You say you've never met a designer familiar with JSP. How many do you
> > know that know PHP? Do you really want your designers writing your
> > application-tier code, anyway?
>
> LAMP application developers are a dime a dozen and most decent designers
> I have worked with are decent because they bother to get into this stuff
> on their own time. While I personally have no love for joe LAMP
> deployment, I am willing to accept the value it has in the developement
> of necessary technical skills in a GUI designer for any web app.
> Additionally I do want my designers having an eye towards the backend
> development process and systems support. It will make it easier for
> everyone to work together and communicate. Obviously not forcing
> designers to learn a custom templating engine and relying on a popular
> one makes a lot of sense. And since most decent web applications rely
> on templating for seperation of application logic and looks / feel /
> localization / whitefacing / what have you... this is certainly a
> benefit in my eyes.
>
> > It is difficult to cite accurate statistics about the relative
> > security of the two platforms because there really are no good metrics
> > out there. You can't point to the number of published vulns sorted by
> > platform because it's much easier to find problems in open-source apps
> > than closed-source commercial apps, and the distribution there is
> > hardly uniform between the two. You can't point to the install base.
> > You can't point to the enterprise adoption rate. (How much sense has
> > corporate IT spending made in the last 10 years?)
>
> Figures never lie, but liars figure. Yeah it's hard to say which is
> more secure than the other. That wasn't the thrust of my argument
> really. I did point out some of the major security features of PHP so
> that you might gain a better understanding of just how PHP is generally
> secured in todays web environments. If you'd like to get in depth on
> this line of discussion I would suggest we choose some topics of
> interest to focus on lest we get lost on tangetial tirades.
>
> > So what can you point to? What are you left with other than your own
> > experience? In my experience, having built applications in PHP4, J2EE,
> > ASP (C# and classic), and pen-tested pretty much everything under the
> > sun, Java and C# apps are clearly the easiest to secure and to vet for
> > security.
>
> And I call shenanigans. Additionally there is a lot more to security
> than the application itself. Isolating applications, controlling the
> way they execute on a host and what resources are available to them all
> factor into security. In that regard C# and Java are generally a pain
> in the ass to "secure" since security relies on network isolation. Do
> Java and C# have a more robust and complete object oriented language
> set? yes. Does Java have some really great classes for encryption?
> Sure. So does php. And PHP5 is a hairs breath shy of object oriented
> completeness.
>
> In my pen testing and administrative experience... Java web app
> developers are the most likely to attempt to impliment their own custom
> shite encryption methods and dump pre auth logic into javascript. C#
> developers are the most likely not to understand how their backend
> database works and leave their apps open to fifteen different types of
> SQL injection. And PHP developers are the ones most likely to install a
> bunch of apps they don't need and never update any of them. That's my
> experince. It's completely irrelevant to the discussion but while we're
> sharing I figured I'd mention it.
>
> What specific security functionality within C# and / or Java exceeds
> that offered by a well configured PHP environment?
>
> > PHP doesn't have the same enterprise adoption rate, which means less
> > money invested, fewer tools, and fewer experts. This says nothing
> > about the security of the platform itself, but does it does raise the
> > bar from an enterprise security perspective. You mentioned that most
> > companies have PHP apps that they don't even know about. If they don't
> > know about them, how important are they to the success of the
> > business? Corporate is putting its money where its mouth is. If PHP
> > had as strong a story as you suggest, I'm sure you'd have no trouble
> > making billions in the software development/refactoring business to
> > get all those J2EE apps ported over to PHP and the developers
> > retrained.
>
> That's bull. Java's adoption rate is incredibly low outside of fortune
> 500s because no one can afford to legally support it. I've worked for
> mid range businesses running java on their backend. And if the BSA ever
> auditted them it would bankrupt them. Additionally the hardware
> requirements for stable java deployment far exceed that of C# or PHP.
> What's worse is Java tends to rely heavily on oracle.
>
> > I'm sure this isn't the first debate on the relative security of
> > application platforms, and I'm sure it won't be the last. As far as
> > I'm concerned, there is no application framework that exists that will
> > protect developers from even 50% of the vulnerabilities they can
> > introduce with their own code. Until that happens, it probably doesn't
> > make a whole lot of difference which platform you choose.
> > -j
>
> I don't see much of an argument coming from you. I understand you have
> your opinions and experiences but I'd like to see a more formalized
> communication of why PHP is inferior. With specific scenarios and logic
> as to why. I'll try not to be hasty in my responses. Because if I
> don't proof read I tend to be heard to read.
>
> I accept you have experience that may outweigh mine. And I want to hear
> your opinion. But it carries no weight if it's not backed up by a clear
> and logical argument. And that's just wasted inbox space.
>
> Additionally... I bet you use emacs. You sound like a dirty emacs user
> to me.
>
> -matt
>
> > On 5/1/07, Matt Joyce <mjoyce at aculei.net> wrote:
> > >I hate to get baited by an obvious troll. But to suggest PHP is less
> > >secure or less enterprise ready than Java for web application
> > >developement is downright stupid. Nothing in terms of real factual
> > >information would support this sort of claim. Now I will acknowledge
> > >you have a subjective right to your own opinion. But you cannot deny
> > >that PHP usage has exceeded 50% of forward facing web sites. Most large
> > >organizations whether they admit it or not are housing a php enabled
> > >webserver somewhere on their environment. And not since the days of
> > >php3 has anyone had a bad word to say about them. In fact last I
> > >checked Caucho Resin was compiling in the background to java byte-code.
> > >A lot of J2EE shops have PHP webservers integrated in their environment.
> > >I've worked on a live currency exchange apps backend that relied on J2EE
> > >for the live trading clusters but served up web applications related to
> > >the company and the software using php4. JSP isn't very friendly to the
> > >standardized foward facing web developement cycle. I say this because
> > >most graphic artists and designers are outputting their templates and
> > >story boards using smarty style templating... simply because it's what
> > >they know and what's been showing up in the industry more. I've yet to
> > >meet a layout designer that was actually familiar with jsp.
> > >
> > >Web app developement is not the same as network app developement or app
> > >developement in general. It has different needs. Especially since a
> > >whole range of web apps are foward facing.
> > >
> > >Additionally PHP5 finally has secured many of the security benefits of
> > >true object oriented programming without the nasty overhead of the JVM
> > >or the chronically broken world of non standardized broken ass application
> > >servers that should be unmade such as weblogic and websphere. Toss in
> > >suhosin on top of that... and the lighttpd integration and wow... PHP5
> > >is a simple fast and relatively secure language. Flex Integration is
> > >additionally redefining the industry.
> > >
> > >But at the end of the day all of this is really a moot point. Since the
> > >overwhelming majority of web applications are written by people with
> > >little to no formal education or experience in object oriented design
> > >much less secure coding practices. So regardless of features and
> > >functionality you have to expect that your developement team is handing
> > >you a pile of crap to put onto the internet and be completely exposed.
> > >Thus auditing and "secure" environments. PHP has suhosin, plus the
> > >advantages of Zend monitoring if you happen to have the money handy.
> > >Additionally php modules such as xdebug can be used to trace php
> > >threads.
> > >
> > >As far as security goes. PHP is by no means all that bad. You just
> > >need to read the manual, understand the equipment you are working with,
> > >and take advantage of it's greatest assets.
> > >
> > >I additionally have found that 1 in 10 IIS boxes have been configured
> > >well. And 1 in 10 of the apps installed on them are actually well
> > >written. The remaining 9 are generally laughably to frighteningly
> > >misconfigured and running apps that should be used as an example of what
> > >not to do when you get out of college. Any argument thrown at PHP can
> > >be thrown at ASP.NET and at least PHP has the benefit of relying on
> > >software that's well written and industry proven.
> > >
> > >There's a reason the apache webserver is ruling the internet.
> > >
> > >Or is someone going to attempt to cite cowboy-7350?
> > >
> > >I think if we get into a fight over this OWASP is simply going to have
> > >to do a web app CTF tournament. And we'll see whose right about what.
> > >
> > >Money where your mouth is boys.
> > >
> > >-Matt Joyce
> > >
> > >PHP Usage Stats:
> > >
> > >http://www.php.net/usage.php
> > >http://www.nexen.net/chiffres_cles/phpversion/16814-php_stats_evolution_for_march_2007.php
> > >
> > >
> > >On Tue, May 01, 2007 at 03:03:20PM -0400, David Goldsmith wrote:
> > >> James:
> > >>
> > >> Not sure I would go as far as to say you shouldn't write applications
> > >> in PHP because of security concerns but I would think that .NET
> > >> (ASP.NET et al) would be more important to talk about than PHP.
> > >>
> > >> At least, that's what I see with our enterprise customers...
> > >>
> > >> Cheers,
> > >>
> > >> Dave G.
> > >>
> > >> ---
> > >> <daveg at matasano.com>
> > >> Matasano Security LLC
> > >> Matasano Team Blog: http://www.matasano.com/log
> > >>
> > >> On May 1, 2007, at 2:13 PM, James Landis wrote:
> > >>
> > >> > I should know better than to respond to advertising, but I just
> > >> > couldn't help but take issue with the following statement:
> > >> >
> > >> > "The course will have emphasis on writing secure distributed programs
> > >> > in Java, Standard Edition (Java SE), Java, Enterprise Edition (Java
> > >> > EE), and PHP, which are the de facto standard languages for modern Web
> > >> > applications."
> > >> >
> > >> > I wouldn't argue with Java being a standard for modern Web apps, but
> > >> > PHP? I love PHP and everything, but it's hardly a standard. In fact, I
> > >> > would never recommend that the average developer build an app in PHP
> > >> > because it's simply way too easy to make security mistakes.
> > >> >
> > >> > -j
> > >> >
> > >> > On 5/1/07, Nasir Memon <memon at poly.edu> wrote:
> > >> >> Hello,
> > >> >> The Center for Advanced Telecommunication Technology (CATT) at
> > >> >> Polytechnic
> > >> >> University, Brooklyn, is offering a 50% discount rate to OWASP
> > >> >> members for
> > >> >> the following course at their Brooklyn campus. "Writing Secure
> > >> >> Code for
> > >> >> Today's Web Application Security". More information can be found at
> > >> >> http://catt.poly.edu/details_shortcourses.php?event_id=31. If you
> > >> >> are an
> > >> >> OWASP member, please include this information in the comments field.
> > >> >>
> > >> >> Best regards,
> > >> >> Nasir Memon
> > >> >>
> > >> >>
> > >> >> ---------------------------------------------------------------------
> > >> >> -------
> > >> >> --------------------------
> > >> >> Nasir Memon Phone:
> > >> >> 718-260-3970
> > >> >> Polytechnic University Fax:
> > >> >> 718-260-3609
> > >> >> Computer Science Dept CS Dept. Phone:
> > >> >> 718-260-3440
> > >> >> Six MetroTech Center Email:
> > >> >> memon at poly.edu, AIM: evilproffy
> > >> >> Brooklyn, NY 11201 Web:
> > >> >> http://isis.poly.edu/memon
> > >> >> ---------------------------------------------------------------------
> > >> >> -------
> > >> >> -----------------------------
> > >> >>
> > >> >>
> > >> >> _______________________________________________
> > >> >> Owasp-newjersey mailing list
> > >> >> Owasp-newjersey at lists.owasp.org
> > >> >> https://lists.owasp.org/mailman/listinfo/owasp-newjersey
> > >> >>
> > >> > _______________________________________________
> > >> > Owasp-newjersey mailing list
> > >> > Owasp-newjersey at lists.owasp.org
> > >> > https://lists.owasp.org/mailman/listinfo/owasp-newjersey
> > >>
> > >> _______________________________________________
> > >> Owasp-newjersey mailing list
> > >> Owasp-newjersey at lists.owasp.org
> > >> https://lists.owasp.org/mailman/listinfo/owasp-newjersey
> > >_______________________________________________
> > >Owasp-newjersey mailing list
> > >Owasp-newjersey at lists.owasp.org
> > >https://lists.owasp.org/mailman/listinfo/owasp-newjersey
> > >
> > >
>
More information about the Owasp-nynjmetro
mailing list