Re: PHP security (or the lack thereof)

[Dan Falconer <dan () avsupport com>]

On Monday 26 June 2006 10:38 pm, Ronald Chmara wrote:
> On Jun 24, 2006, at 3:42 PM, Darren Reed wrote:
> > In some mail from john mullee, sie said:
> > > --- Darren Reed <avalon () caligula anu edu au> wrote:
> > > I guess most of the remaining offending apps were written in C: as
> > > much as 96% ?!!
> > > (including basically all of microsoft's stuff!!)
> > >
> > > Surely the least secure language of all time !!!
> > >
> > > Note also that no vulnerable apps were written in:
> > >  - cobol, rpg3, prolog, ada, scheme, lisp, pl/1, occam, modula-2, or
> > > MIX
> >
> > But in the 1990s, Java was created.
> > Java applications exist.
> > Java servlets and applets also exist.
> > There have barely a *handful* of JRE/JVM security problems.
>
> Since this discussion started with dubious metrics (using how many
> posts were made to a discussion list, rather than how many security
> issues have been reported), I thought it might be wiser to use
> something with firmer metrics, actual CVE reports (insert disclaimer
> here):
>
> Popular Web languages:
> <http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Python> has 17.
> <http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jsp> has 74.
> <http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Perl> has 94.
> <http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ASP> has 113.
> <http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Java> has 152.
> <http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Javascript> has 288.
> <http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=cgi> has 576.
> <http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=PHP> has 1181.
>
> Web servers:
> <http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=IIS> has 147.
> <http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Apache> has 193.
>
> The usual suspects:
> <http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=SQL+injection> has
> 1434.
> <http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=XSS> has 2121.
>
> > So the point of this is to say that new, modern, development
> > languages that are secure
>
> For the fun of comparing apples and oranges:
> <http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Sendmail> has 61.
>
> The newish Java language has more holes than the venerable sendmail
> application? ;-)
>
> >  can be and are being developed and
> > used.  That PHP is relatively new with respect to computing
> > and has so many security problems should be an embaressment
> > to its developers and users.
>
> Or, alternately, perhaps Java is relatively new and also *rarely ever
> used, or deployed*, in comparison to PHP, which means that many fewer
> holes will ever be created, and thus, found.
>
> Let's find some numbers... ah, here we go:
> <http://www.securityspace.com/s_survey/data/man.200605/apachemods.html>
>
> Top PHP apache mods:
> PHP: 5.69 million hosts
> PHP-CGI: .28 million hosts
>
> Top Java apache mods:
> mod_jk: .41 million hosts
> Jserv .1 million hosts
>
> 5.97 million PHP hosts, 43.1% marketshare, vs .51 million Java hosts,
> 3.72% marketshare.
> 1181 PHP CVEs vs. 152 Java CVEs.
>
> Only 8.5% of PHP's market share, but 12.8% of PHP's bugs? Is Java
> *less* secure than PHP? (Yikes... Mark Twain and all...)
>
> > Or to put it another way, if there are so many security
> > problems with PHP then the PHP development model or use model
> > needs to be seriously reconsidered and redeveloped such that
> > it is immune to such security issues.  This may, of course,
> > mean throwing away PHP and starting over (see C/C++ -> Java).
>
> As another poster pointed out to me quite eloquently, the learning
> curve seems to be the problem.
>
> Apparently, PHP is too easy to use.
>
> I say that with all seriousness, and kidding. Because PHP isn't hard to
> use, people who are inexperienced with writing secure internet
> applications are apparently using it to write Bad Code(tm) in droves.
>
> -Bop
> --
> 4245 NE Alberta Ct.
> Portland, OR 97218
> 503-282-1370

        It's all in how you do the math.  Obviously, every interjection into the 
battle has their own bit of bias, therefore skewing the numbers (sometimes 
intentionally, but probably mostly unconsciously).  That said, here's 
something else for ya to consider, based upon Ronald Chmara's numbers:

ASSUMPTIONS: on average, the same number of developers/host.  For the purposes 
of this explanation, we'll say there's one developer/host.  Issues for either 
language are posted immediately after they're found (or equally fast).  On 
average, the severity rating per PHP bug is equal to that of Java.  The 
average "experience level" of each developer is equal, be they Java or PHP 
developer.  Only one application is run per host.  Each developer has 2 
functional eyes. :)

Given those assumptions, approximately 11.7 times more eyes looking at PHP 
code than there are looking at Java code.  There's one issue per 5,055 PHP 
hosts (approx), while for Java, there's only one per 3355 hosts (approx).  
Now amplify the number of hosts & Java applications to that of PHP, so there 
are the same number of eyes looking at each: would Java maintain the smaller 
ratio of bugs/host?  

As a final thought: nobody seems to give a total ranking of the severity of 
the bugs per language.  I mean, if one language has 100 issues that all cause 
major problems while another as 1000 issues which result in nothing more 
serious than a page not displaying, is the one with fewer issues still more 
secure? 

-- 
Best Regards,


Dan Falconer
"Head Geek",
AvSupport, Inc. (http://www.partslogistics.com)