WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: [OWASP-GUIDE] Question concerning usage of languages for webapps

From: Ralf Durkee <rd () rd1 net>
Date: Mon, 17 May 2004 08:29:53 -0400
At 02:05 PM 5/16/2004 +0200, Ofer wrote:

In reply to Ofer's comments:


Dear List,

Our company has performed several hundred PT's in the last few years.
Only very few were PHP (less than 5). I agree you may find many PHP
sites online, but the majority of these sites are free or small sites.
I find plenty of business using PHP when performing Security audits, and I agree that they tend to be small to medium size applications. I think you'll find the size of the application is more of a determination than the business size, as large corporations also have plenty of small applications as well. Although my experience includes dozens rather than hundreds of web apps, it does include small applications as well as large applications in corporate data centers. You may find that the nature of your business tends to draw on mainly the large application customer. 


Most commercial organizations that run business applications do not use
PHP, but rather one of the commercial infrastructures. Same reference
goes to perl.
For one, the majority of the Internet market and economy are made up of small to medium size businesses. And I think it's also safe to say that the major of the commercial applications are also small to medium size applications. The statement about PHP not being used by commercial organizations is just plan false, there's a lot of it out there. I also find Perl used at both extremes of the complexity scale from the small and simple to some of the largest and most complex web applications. 



Perl has lost most of its popularity in real world web
applications. It can still be seen often, again, in non commercial
sites, yet it is not as widely used as it was used 5-7 years ago, when
CGI's were the main stream of web applcations.
I agree that Perl is not the denominate (percentage wise) CGI that it once was, but it is widely used in commercial applications. 


On the other hand, I find the low ranking of ASP applications very
surprising.
Yes I agree, there is a lot of IIS/ASP out there from small to large applications. 


-- Ralf Durkee, CISSP, GSEC, GCIH
Durkee Consulting, Inc.
Principal Consultant
http://rd1.net
Previous By Date Next
Previous By Thread Next

Current thread: