Bugtraq mailing list archives
Re: LAMP vs Microsoft
From: Bob Beck <beck () bofh cns ualberta ca>
Date: Wed, 12 Jul 2006 08:58:05 -0600
The simple fact is most of the MS/PHP/JAVA web development will be being done by code monkeys, fresh out of school..You're confusing what I'm interested in (platform security) with the people who use the platform to develop on top of. If the foundations of what you're using are insecure, then the web developer has a harder task.
I don't think the platform matters all that much if people are writing code and deploying code without security as a goal. While a particular platform may make it more difficult for a certain type of attack to occur (i.e. it's harder to have traditional buffer overflow attacks in something like OpenBSD or Java) The avenue of attacks for web applicatons is broad enough, particularly when the browser and ease-of-use-assisted social engineering is involved that the platform is going to be moot compared to basic application design and deployment issues. Heck, lots of banks do clear text redirects from http://www.bigassedbank.com/ to https://www.bigassedbank.com/, and then have idiots using them from coffee shops. That's much more fundamental than the sorts of things like html goo, sql insertion, browser bugs, etc. etc. etc. I think the focus on "choice of platform" merely distracts attention from the design of the entire application and what the end to end impacts are. I know I've been given the "It's written in Java it's secure" line of horse apples from people selling an application that couldn't even do ssl connections to ldap and smtp, and insisted on doing them in the clear. See? the choice of platform in this case is moot - design and implementation without security in mind is the problem. -Bob
Current thread:
- LAMP vs Microsoft Darren Reed (Jul 10)
- Re: LAMP vs Microsoft Jarrod Frates (Jul 10)
- Re: LAMP vs Microsoft Bob Beck (Jul 10)
- Re: LAMP vs Microsoft Darren Reed (Jul 15)
- Re: LAMP vs Microsoft Bob Beck (Jul 15)
- Re: LAMP vs Microsoft Darren Reed (Jul 15)
- Re: LAMP vs Microsoft Bob Beck (Jul 15)
- Re: LAMP vs Microsoft Bob Beck (Jul 18)
- Re: LAMP vs Microsoft Darren Reed (Jul 22)
- Re: LAMP vs Microsoft Darren Reed (Jul 15)
- Re: LAMP vs Microsoft George Capehart (Jul 18)
- Re: LAMP vs Microsoft Darren Reed (Jul 18)
- Re: LAMP vs Microsoft Hugo van der Kooij (Jul 18)
- <Possible follow-ups>
- Re: LAMP vs Microsoft Steven M. Christey (Jul 12)