[OWASP-GUIDE] Question concerning usage of languages for webapps

Ray Stirbei ray at highentropy.org
Mon May 17 08:30:52 EDT 2004

Both of you have valid points and like Adrian said, the objective of the 
survey was an informal way to get a high level picture, not authoritative 
information. In the interest of bringing some objective analysis, I looked up 
Gartner and Forrester reports. I wasn't able to find anything on PHP, Perl 
which is consistent with Ofer's point of view. Java and .NET are the only 
platforms researched at length and they both seem to be on equal footing in 
terms. To Chris' point, the support of PHP and Perl from almost every 
webhosting provider and the sheer number of people that attend perl/php 
events speaks for itself. 

An ad hoc query on dice (searching 42,980 job openings) produced the following 

query 	returned matches
Java  	 7284 
.NET 	 4148
Perl 		2154
PHP		216
Coldfusion 168
Vignette 110

ASP 		5269
JSP 		1556
javascript 1548

These results tell me there is good demand for perl/php and its not just 
enthusiasts working for free. It also confirms that Java and .NEt are the 
heavyweights in this space.

The results are far from scientific but they are more objective than personal 
experience alone.


On Monday 17 May 2004 09:10 am, Imperva Application Defense Center wrote:
> Chris,
> At no point I was trying to be biased towards commerical web
> applications. I have a long happy history with open source and linux
> from many years ago, and I totally agree that PHP is an important
> language that shold be covered as well.
> However, when performing a risk analysis, you always must weight the
> potential damage. Application hackers care less about hacking the
> *application* of a .org content site, than they care about breaking into
> a bank, or tampering with an ecommerce site. The majority of application
> layer attacks to not focus in taking over the server (some do, but they
> are the minority). The majority of application layer attacks go to the
> business logic. To hijack user accounts of other users. To meddle with
> the business logic of the appplication, to steal information. All these
> attacks pose a much greater risk to commercial applications (And XSS,
> which you have mentioned, does not normally compromise the target
> machine. It compromises the information that is transferred between the
> target machine and the web site, which again, is usually not very
> critical in non commercial applications).
> With all that said, I do not dismiss PHP in any way. I think it's a
> great language, and I have written some sites using it myself. PHP
> should definitley be included in the OWASP guide, but, in my humble
> opinion, it should not be its main focus. My main concern with the
> published statistics was the fact that PHP got a much higher ranking
> than any other language.
> Ofer.
> -----Original Message-----
> From: Chris Todd [mailto:chris at christophertodd.com]
> Sent: Monday, May 17, 2004 3:46 AM
> To: webappsec at securityfocus.com
> Subject: RE: [OWASP-GUIDE] Question concerning usage of languages for
> webapps
> Ofer,
> While the statistics you cite regarding the distribution of programming
> languages in commercial web apps are probably accurate (they certainly
> jive with my experience), I have to admit that I find your bias towards
> commercial web apps troubling.
> OWASP does not exist solely to improve the security of commercial web
> applications, it exists to improve the security of *ALL* web
> applications, and in that respect PHP is *way* more important than
> ASP/ASP.NET/.NET/Java, because there are thousands of PHP applications
> out there that desperately need to be improved, and there are many more
> PHP-enabled apache web servers than there are IIS servers (see
> Netcraft).
> Anyone who cares about the security of the Internet as a whole
> understands that we need to teach as many people as possible how to
> write secure web apps, because every insecure web app, wherever it may
> be on the Internet, and whatever language it is written in, is a
> possible attack vector against our systems.  Every cross site scripting
> attack that can be used to compromise a client machine, every SQL
> injection attack that can reveal sensitive data, every web server that
> gets rooted because of an insecure PHP/Perl/C CGI script, is another
> platform for launching attacks.
> While it may sound like a pipe dream to some, I honestly believe that
> OWASP can make a contribution to the overall security of the Internet by
> removing the low-hanging fruit hackers use to compromise web apps.
> Teach web app developers to do just a few things differently, to be just
> a little paranoid, to validate all input, and the hackers have to work a
> lot harder. Anything that makes hackers' lives more difficult is a Good
> Thing(TM) in my book.
> Therefore, in my opinion (for however many cents it's worth), PHP should
> be the number one language the Guide focuses on.  Of course, it should
> include coverage of Java, the MS technologies, and probably also Perl,
> but PHP should receive it's strongest and deepest focus, because that's
> where the Guide can make the greatest impact.
> Regards,
> Chris
> -----Original Message-----
> From: Imperva Application Defense Center [mailto:adc at imperva.com]
> Sent: Sunday, May 16, 2004 8:05 AM
> To: Adrian Wiesmann; webappsec at securityfocus.com
> Subject: RE: [OWASP-GUIDE] Question concerning usage of languages for
> webapps
> Dear List,
> I have to say I find the results troublingm, as they are very
> open-source oriented, rather than real-world industry oriented.
> Our company has performed several hundred PT's in the last few years.
> Only very few were PHP (less than 5). I agree you may find many PHP
> sites online, but the majority of these sites are free or small sites.
> Most commercial organizations that run business applications do not use
> PHP, but rather one of the commercial infrastructures. Same reference
> goes to perl. Perl has lost most of its popularity in real world web
> applications. It can still be seen often, again, in non commercial
> sites, yet it is not as widely used as it was used 5-7 years ago, when
> CGI's were the main stream of web applcations.
> On the other hand, I find the low ranking of ASP applications very
> surprising. This is, of course, an old technology, which is slowly being
> replaced with ASP.Net, yet is still widely used (and probably still used
> a lot more than ASP.Net). Therefore, although new applications written
> from scratch are likely to be written in ASP.Net, there is a lot of code
> that is still being written in ASP, as part of existing applications,
> which makes it, in my opinion, probably the most important or second
> most important infrastructure.
> It is my belief that such as document should refer to what's mostly used
> in the industry, and therefore put the two main commercial technologies
> (mainly ASP/ASP.Net and Java/JSP) as the top priority. As for other
> content infrastructure, such as ColdFusion, Vignette, DB-Specific
> environments, etc
> - There are so many of them, that I think there should be general
> guidelines, which shold be written clear enough so that developers will
> be able to deduct from them about the specific technology in use.
> Sincerely,
> Ofer Maor
> Application Defense Center Manager
> Imperva(tm) Inc.
> http://www.imperva.com/adc/
> -----Original Message-----
> From: Adrian Wiesmann [mailto:awiesmann at swordlord.org]
> Sent: Friday, May 14, 2004 7:59 PM
> To: webappsec at securityfocus.com
> Subject: Re: [OWASP-GUIDE] Question concerning usage of languages for
> webapps
> Hello list
> Thank you for your help concerning my question about web application
> languages usage. Please note that I neither counted the total sum of
> replies nor is the list below in any way representative. I only use it
> to decide on which language to cover in the OWASP Guide v2.
> Here are the results in one simple list. The numbers below the language
> names represent the number of time the language was mentioned (so one
> user could mention multiple languages, but every language only one
> time). One speciality is the ASP.NET line. The number left of the equals
> sign is the total number of mentionings and the numbers on the right
> define which languages are used within the .NET framework. This means
> that one developer can use both c# and vb.net. (But this counts only
> once.)
> 14
> Java/JSP
> 10
> Perl
> 9
> (one person said perl for backend purposes and php for frontend)
> ASP.NET (undefined/C#/VB.NET)
> 9 = 5 / 3 / 2
> 5
> Python
> 3
> 2
> 2
> ColdFusion
> 1
> Sybase PowerScript
> 1
> 1
> C
> 1
> Delphi
> 1
> JavaScript
> 1
> The interpretation of the result is yours :)
> Thanks again for your help,
> Adrian

More information about the Owasp-guide mailing list