Secure Coding mailing list archives
Re: Scripting Languages and Secure Coding
From: Bob Toxen <bob () verysecurelinux com>
Date: Thu, 04 Dec 2003 15:06:51 +0000
On Wed, Dec 03, 2003 at 09:20:03AM -0800, Jeremy Thibeaux wrote:
I would look at this differently.
...
I am not aware of any buffer overload problems with PHP >=4.2.2...
The reason why you won't see security notices for C (or perhaps Perl), is that they leave it entirely up to you to make your own mistakes. One will likely find security problems in reusable C or Perl components if they end up as abundantly tested as PHP. Not to mention that PHP includes a ridiculous amount of functionality.
... Frankly, I think your email strengthens my case that PHP itself is too buggy to be used for "high security" trusted applications. The C compiler and popular C library routines do not have bugs both because they are very carefully tested and because they are not changed much and because they have been thought out very carefully over 30 years. When PHP has less than 1 significant security bug per year for 2-3 years I'll consider it safe for use. Unlike C and Apache, one does not HAVE to use PHP in their system.
Jeremy Thibeaux Lucid Factory, inc.
Bob Toxen, CTO Fly-By-Day Consulting, Inc. "Your expert in Firewalls, Virus and Spam Filters, VPNs, Network Monitoring, and Network Security consulting" http://www.verysecurelinux.com [Network & Linux/Unix Security Consulting] http://www.realworldlinuxsecurity.com [My 5* book: "Real World Linux Security"] [EMAIL PROTECTED] (e-mail)
Current thread:
- Re: Scripting Languages and Secure Coding + code, (continued)
- Re: Scripting Languages and Secure Coding + code David M. Wilson (Dec 09)
- Re: Scripting Languages and Secure Coding + code Carsten Kuckuk (Dec 09)
- Re: Scripting Languages and Secure Coding + code Jeremy Thibeaux (Dec 04)
- Re: Scripting Languages and Secure Coding + code securecodingorg (Dec 04)
- Re: Scripting Languages and Secure Coding + code Jeremy Thibeaux (Dec 04)
- Re: Scripting Languages and Secure Coding + code Louis Solomon [SteelBytes] (Dec 05)
- Re: Scripting Languages and Secure Coding + code David M. Wilson (Dec 05)
- Re: Scripting Languages and Secure Coding + code Ghita Gh. Serban (Dec 05)
- Re: Scripting Languages and Secure Coding Bob Toxen (Dec 04)
- Re: Scripting Languages and Secure Coding der Mouse (Dec 04)
- Re: Scripting Languages and Secure Coding Louis Solomon [SteelBytes] (Dec 05)
- Re: Scripting Languages and Secure Coding ljknews (Dec 06)
- Re: Scripting Languages and Secure Coding Bob Toxen (Dec 05)