[owasp-intrinsic-security] [Owasp-leaders] Web application framework security comparison

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Thu Jan 29 09:57:06 EST 2009


I agree there is value in not looking at J2EE or PHP by itself. If
people want to submit columns with references I'd be happy to add them,
or I could give a few people editing privileges for the spreadsheet.
This kind of thing can't be cleanly crowdsourced to everyone
unfortunately.

Thanks,
Arshan

-----Original Message-----
From: Achim Hoffmann [mailto:ah at securenet.de] 
Sent: Thursday, January 29, 2009 9:46 AM
To: Arshan Dabirsiaghi
Cc: Michael Menefee; owasp-intrinsic-security at lists.owasp.org
Subject: Re: [Owasp-leaders] Web application framework security
comparison


Hi Arshan/All,

I'd agree with Mike's comment that Frameworks are compared with
languages.
J2EE is not primarily a framework to build web application, you'd use it
together with with at least one of Struts, Spring (webflow), grails,
tapestry, etc. etc..

PHP is primarily designed as "web language" but comes with a lot of
preinstalled libraries. So I'm not sure if we call it "language" or
"framework".
Anyways, it fits here, IMHO.

Either the matrix should point out that distinction, or other
"frameworks"
should be added. It's a bit misleading according the title.

Any thoughts?
Achim


On Wed, 28 Jan 2009, Michael Menefee wrote:

!! Arshan/All,
!! 
!! I would like to point out the difference between "Framework" and
"language".
!! .NET is a framework, classic ASP is a language. PHP is also a
language, not a !! framework. If we want to compare various frameworks,
then we need to include !! specific PHP frameworks such as Cake,
Symfony, Zend, etc, and make sure to !! differentiate languages (such as
ASP and PHP) from actual frameworks !! 
!! I would be more than happy to attempt an evaluation of the top 5 PHP
frameworks !! (although there are many more than that now).
!! 
!! Mike


More information about the owasp-intrinsic-security mailing list