Re: LAMP vs Microsoft

[Darren Reed <avalon () caligula anu edu au>]

In some mail from Bob Beck, sie said:
> > the people who use the platform to develop on top of.  If the
> > foundations of what you're using are insecure, then the web
> > developer has a harder task.
>
>       I disagree. I think most modern computing platforms start
> out as "secure" within their limitations if you understand them.
> It's code written for them that is the problem, plain and simple. 

Ok, let me give you a simple example of where I believe the
foundations are insecure - string handling in PHP.  Why doesn't
PHP make all strings "safe" when passing them to external
programs?
If it's not a problem for php, does it mean the HTTP or HTML
specs need to be changed such that definition of data when it
is passed out to CGIs.

>       The more complexity you add what you implement on top of a platform,
> the more bugs you add in the implementation, and the more opportunity
> for people not to understand the side effects. But I expect to see a
> great market for people reinventing the wheel for people who don't
> understand that life is pain, and anyone who says otherwise is selling
> something. 

In your opinion.  You make it sound like we have the perfect wheel
now - we don't and nobody I know thinks we do.  If we did have the
perfect wheel then there would be no security vulnerabilities. So
the wheel will be reinvented and perhaps multiple times, quite
necessarily.  I'd almost be tempted to say that software engineering
is in a rut and it doesn't know how to get out of it yet.

>       Oh, and since you mention it, I doubt anyone the OpenBSD mob would
> disagree with what I'm saying, or that I would care if they did.
> Unlike the corporate world there are still some free projects that
> allow for participants to speak their mind freely and not toe the
> party line.

I'm not towing the party line, rather pointing out what different
groups do in order to achieve better results in terms of software
quality.  My apologies if you confused this with an attempt to
sell something.  Unfortuantely they are the only two that come
to mind but my exposure is quite limited.  I'd be more than happy
to hear of what other projects do in this area, if you'd like to
mention some.  My comments and their relevance to open source are
limited by my experience.  If I had more experience that suggested
other projects did more for software QA, I'd have cited that too.

> Of course, I haven't yet asked what you're selling. Sounds
> to me like it's another effort to convince the unwitting that life
> isn't pain and blow SuNshine up their posteriors. 

If you've got a point to make, make it and leave the insults at home.

I'm interested in making software more secure and making the tools
we use more secure.  Part of that should be improving the process
to engineer software.  While Microsoft can hire the likes of ISS
and others to do this, for open source projects we need to discuss
and understand what groups do, think about it and think about how
we can apply that model (or part of it) to what they do.  This
requires disclosing what others do.

Now if you'd like to go live in your comfortable hole where all
software is by default insecure and we can't do much except wait
for exploits to find those bugs, feel free to sit and stay there,
but please don't criticise others for wanting a better solution
and discussing what people do to try and achieve that (even if
you think they're striving for a pot of gold at the end of a
rainbow.)

Darren