[OWASP-GUIDE] Question concerning usage of languages for webapps

Mark Curphey mark at curphey.com
Tue May 18 08:43:20 EDT 2004

I have mixed feelings on this.

One side of me says that we should be catering for the masses and the
audience of webappsec clearly uses PHP. 

The other side of me says I NEVER see it in commercial applications, its
HORRIBLE to write a secure application in and a big part of OWASPs success
has been to focus on technologies that are used commercially. This has been
a key concept in getting the respect of banks etc and not just the open
source community. 

Obviously you folks are in charge of the Guide so its totally up to you but
I firmly believe that ASP.NET and J2EE are the only two serious choices to
develop a secure enterprise web application today. Maybe that's the key
word, enterprise. 

-----Original Message-----
From: owasp-guide-admin at lists.sourceforge.net
[mailto:owasp-guide-admin at lists.sourceforge.net] On Behalf Of Ray Stirbei
Sent: Monday, May 17, 2004 8:31 AM
To: Imperva Application Defense Center; chris at christophertodd.com
Cc: owasp-guide at lists.sourceforge.net
Subject: Re: [OWASP-GUIDE] Question concerning usage of languages for

Both of you have valid points and like Adrian said, the objective of the
survey was an informal way to get a high level picture, not authoritative
information. In the interest of bringing some objective analysis, I looked
up Gartner and Forrester reports. I wasn't able to find anything on PHP,
Perl which is consistent with Ofer's point of view. Java and .NET are the
only platforms researched at length and they both seem to be on equal
footing in terms. To Chris' point, the support of PHP and Perl from almost
every webhosting provider and the sheer number of people that attend
perl/php events speaks for itself. 

An ad hoc query on dice (searching 42,980 job openings) produced the

query 	returned matches
Java  	 7284 
.NET 	 4148
Perl 		2154
PHP		216
Coldfusion 168
Vignette 110

ASP 		5269
JSP 		1556
javascript 1548

These results tell me there is good demand for perl/php and its not just
enthusiasts working for free. It also confirms that Java and .NEt are the
heavyweights in this space.

The results are far from scientific but they are more objective than
personal experience alone.


On Monday 17 May 2004 09:10 am, Imperva Application Defense Center wrote:
> Chris,
> At no point I was trying to be biased towards commerical web 
> applications. I have a long happy history with open source and linux 
> from many years ago, and I totally agree that PHP is an important 
> language that shold be covered as well.
> However, when performing a risk analysis, you always must weight the 
> potential damage. Application hackers care less about hacking the
> *application* of a .org content site, than they care about breaking 
> into a bank, or tampering with an ecommerce site. The majority of 
> application layer attacks to not focus in taking over the server (some 
> do, but they are the minority). The majority of application layer 
> attacks go to the business logic. To hijack user accounts of other 
> users. To meddle with the business logic of the appplication, to steal 
> information. All these attacks pose a much greater risk to commercial 
> applications (And XSS, which you have mentioned, does not normally 
> compromise the target machine. It compromises the information that is 
> transferred between the target machine and the web site, which again, 
> is usually not very critical in non commercial applications).
> With all that said, I do not dismiss PHP in any way. I think it's a 
> great language, and I have written some sites using it myself. PHP 
> should definitley be included in the OWASP guide, but, in my humble 
> opinion, it should not be its main focus. My main concern with the 
> published statistics was the fact that PHP got a much higher ranking 
> than any other language.
> Ofer.
> -----Original Message-----
> From: Chris Todd [mailto:chris at christophertodd.com]
> Sent: Monday, May 17, 2004 3:46 AM
> To: webappsec at securityfocus.com
> Subject: RE: [OWASP-GUIDE] Question concerning usage of languages for 
> webapps
> Ofer,
> While the statistics you cite regarding the distribution of 
> programming languages in commercial web apps are probably accurate 
> (they certainly jive with my experience), I have to admit that I find 
> your bias towards commercial web apps troubling.
> OWASP does not exist solely to improve the security of commercial web 
> applications, it exists to improve the security of *ALL* web 
> applications, and in that respect PHP is *way* more important than 
> ASP/ASP.NET/.NET/Java, because there are thousands of PHP applications 
> out there that desperately need to be improved, and there are many 
> more PHP-enabled apache web servers than there are IIS servers (see 
> Netcraft).
> Anyone who cares about the security of the Internet as a whole 
> understands that we need to teach as many people as possible how to 
> write secure web apps, because every insecure web app, wherever it may 
> be on the Internet, and whatever language it is written in, is a 
> possible attack vector against our systems.  Every cross site 
> scripting attack that can be used to compromise a client machine, 
> every SQL injection attack that can reveal sensitive data, every web 
> server that gets rooted because of an insecure PHP/Perl/C CGI script, 
> is another platform for launching attacks.
> While it may sound like a pipe dream to some, I honestly believe that 
> OWASP can make a contribution to the overall security of the Internet 
> by removing the low-hanging fruit hackers use to compromise web apps.
> Teach web app developers to do just a few things differently, to be 
> just a little paranoid, to validate all input, and the hackers have to 
> work a lot harder. Anything that makes hackers' lives more difficult 
> is a Good
> Thing(TM) in my book.
> Therefore, in my opinion (for however many cents it's worth), PHP 
> should be the number one language the Guide focuses on.  Of course, it 
> should include coverage of Java, the MS technologies, and probably 
> also Perl, but PHP should receive it's strongest and deepest focus, 
> because that's where the Guide can make the greatest impact.
> Regards,
> Chris
> -----Original Message-----
> From: Imperva Application Defense Center [mailto:adc at imperva.com]
> Sent: Sunday, May 16, 2004 8:05 AM
> To: Adrian Wiesmann; webappsec at securityfocus.com
> Subject: RE: [OWASP-GUIDE] Question concerning usage of languages for 
> webapps
> Dear List,
> I have to say I find the results troublingm, as they are very 
> open-source oriented, rather than real-world industry oriented.
> Our company has performed several hundred PT's in the last few years.
> Only very few were PHP (less than 5). I agree you may find many PHP 
> sites online, but the majority of these sites are free or small sites.
> Most commercial organizations that run business applications do not 
> use PHP, but rather one of the commercial infrastructures. Same 
> reference goes to perl. Perl has lost most of its popularity in real 
> world web applications. It can still be seen often, again, in non 
> commercial sites, yet it is not as widely used as it was used 5-7 
> years ago, when CGI's were the main stream of web applcations.
> On the other hand, I find the low ranking of ASP applications very 
> surprising. This is, of course, an old technology, which is slowly 
> being replaced with ASP.Net, yet is still widely used (and probably 
> still used a lot more than ASP.Net). Therefore, although new 
> applications written from scratch are likely to be written in ASP.Net, 
> there is a lot of code that is still being written in ASP, as part of 
> existing applications, which makes it, in my opinion, probably the 
> most important or second most important infrastructure.
> It is my belief that such as document should refer to what's mostly 
> used in the industry, and therefore put the two main commercial 
> technologies (mainly ASP/ASP.Net and Java/JSP) as the top priority. As 
> for other content infrastructure, such as ColdFusion, Vignette, 
> DB-Specific environments, etc
> - There are so many of them, that I think there should be general 
> guidelines, which shold be written clear enough so that developers 
> will be able to deduct from them about the specific technology in use.
> Sincerely,
> Ofer Maor
> Application Defense Center Manager
> Imperva(tm) Inc.
> http://www.imperva.com/adc/
> -----Original Message-----
> From: Adrian Wiesmann [mailto:awiesmann at swordlord.org]
> Sent: Friday, May 14, 2004 7:59 PM
> To: webappsec at securityfocus.com
> Subject: Re: [OWASP-GUIDE] Question concerning usage of languages for 
> webapps
> Hello list
> Thank you for your help concerning my question about web application 
> languages usage. Please note that I neither counted the total sum of 
> replies nor is the list below in any way representative. I only use it 
> to decide on which language to cover in the OWASP Guide v2.
> Here are the results in one simple list. The numbers below the 
> language names represent the number of time the language was mentioned 
> (so one user could mention multiple languages, but every language only 
> one time). One speciality is the ASP.NET line. The number left of the 
> equals sign is the total number of mentionings and the numbers on the 
> right define which languages are used within the .NET framework. This 
> means that one developer can use both c# and vb.net. (But this counts 
> only
> once.)
> 14
> Java/JSP
> 10
> Perl
> 9
> (one person said perl for backend purposes and php for frontend)
> ASP.NET (undefined/C#/VB.NET)
> 9 = 5 / 3 / 2
> 5
> Python
> 3
> 2
> 2
> ColdFusion
> 1
> Sybase PowerScript
> 1
> 1
> C
> 1
> Delphi
> 1
> JavaScript
> 1
> The interpretation of the result is yours :)
> Thanks again for your help,
> Adrian

This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for
SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
Owasp-guide mailing list
Owasp-guide at lists.sourceforge.net

More information about the Owasp-guide mailing list