[owasp-intrinsic-security] [Owasp-leaders] Web application framework security comparison

Jim Manico jim.manico at aspectsecurity.com
Thu Jan 29 16:21:15 EST 2009

I would also like to point on the difference between a language, framework and management system (only because I see them used interchangably so much).
A language is PHP.
A framework would be something like Cake or Zend.
But then we have entire content management systems like Drupal that are just as popular (if not more so) than the frameworks. Management systems let the layperson deploy large software systems without any custom programming - this is the key diferentiator.
There is no reason that Drupal could not have been written on top of Cake on top of PHP. Some folks are also building Drupal on top of Python frameworks.  And some of the Anti-Patterns/Security Bugs migrate from the management system to other languages/frameworks as they are ported.
Jim Manico, Senior Application Security Engineer
jim.manico at aspectsecurity.com
(301) 604-4882 (work)
(808) 652-3805 (cell)

Aspect Security(tm)
Securing your applications at the source


From: owasp-leaders-bounces at lists.owasp.org on behalf of Michael Menefee
Sent: Wed 1/28/2009 9:19 PM
To: owasp-leaders at lists.owasp.org
Cc: owasp-intrinsic-security at lists.owasp.org
Subject: Re: [Owasp-leaders] Web application framework security comparison


I would like to point out the difference between "Framework" and "language". .NET is a framework, classic ASP is a language. PHP is also a language, not a framework. If we want to compare various frameworks, then we need to include specific PHP frameworks such as Cake, Symfony, Zend, etc, and make sure to differentiate languages (such as ASP and PHP) from actual frameworks

I would be more than happy to attempt an evaluation of the top 5 PHP frameworks (although there are many more than that now). 


On Wed, Jan 28, 2009 at 10:41 AM, Arshan Dabirsiaghi <arshan.dabirsiaghi at aspectsecurity.com> wrote:

	Thanks to those of you who made it out to Portugal for the EU Summit. One of our working sessions was focused on creating a consumer report on the security provided by web application frameworks. After some huge initial draft work there, I'm happy to have a beta ready. Of course maintaining this will be a moving target, but right now I'm soliciting a last call for comments and suggestions before making it available to the world at large.
	The key is on the spreadsheet. Ideally I would like every tuple that's not "No Plans" to have a supporting comment or link. If you can provide one or can argue for a different value for any tuple, please get back to me soon.
	Thanks to everyone for all your help up to this point - let's get this thing finished so we can get it out the public. I'm sorry I can't let everyone have edit privileges, but I had to make a million reverts when I did that before because I wasn't clear enough with my goals for the spreadsheet, so please just email me and the group your suggestions!

	OWASP-Leaders mailing list
	OWASP-Leaders at lists.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-intrinsic-security/attachments/20090129/5c0abd3a/attachment.html 

More information about the owasp-intrinsic-security mailing list