WebApp Sec mailing list archives
Re: Languages/platforms used for Web apps. Any stats?
From: Andrew van der Stock <vanderaj () greebo net>
Date: Sat, 25 Jun 2005 15:07:10 +1000
I don't know of any stats, but if anyone was to make a study, that's where I'd focus on.
However, saying that:* I review J2EE finance apps used in very large institutions. I find plenty of problems which need fixing
* I look after a PHP forum, which definitely could improve* In my previous job, the most vulnerable app I ever reviewed was written in ASP in VBScript
I don't think the language has much to do with it beyond basic security posture. PHP could do a lot to redress the problems, for example, by:
* making echo do htmlentities by default, and having a special echo / print which doesn't in case you really meant to spit out HTML * deprecating the old function based MySQL drivers (ie warnings when E_ALL is used) in favor of the MySQLi drivers or PDO which have prepared statements * in the next version of PHP, remove support for register_globals and make url_fopen permanently false * Remove implicit declarations and add optional strong typing which really means it
The basic security posture of PHP has been improving, but honestly, it really depends on the quality of the coders and if they are aware of the security options open to them. The other thing is that there is a lot of PHP code out there written in the PHP 3 days which sorta runs okay on PHP 4 and 5, which shouldn't. PHP 3 really was a security nightmare - everything in the interpreter was set to be the most insecure possible posture with maximal attack surface area.
Andrew On 25/06/2005, at 5:45 AM, Benjamin Livshits wrote:
Are there any good studies of what fraction of Web apps are written in Java/J2EE vs C#/.NET vs PHP, etc. Many vulnerabilities reported on SecurityFocus.com daily involve PHPprograms. I was wondering if that's a reflection of the fact that many Webapps out there are written in PHP. Or is it that vulnerabilities inproprietary apps that is written in Java or C# simply doesn't make it toSecurityFocus.com? Thanks. -Ben
Current thread:
- Languages/platforms used for Web apps. Any stats? Benjamin Livshits (Jun 24)
- RE: Languages/platforms used for Web apps. Any stats? Matt Szubrycht (Jun 24)
- Re: Languages/platforms used for Web apps. Any stats? Mark Susol Ultimate Creative Media (Jun 25)
- Re: Languages/platforms used for Web apps. Any stats? Steve McCullough (Jun 26)
- Re: Languages/platforms used for Web apps. Any stats? Jesse G. Lands (Jun 26)
- Re: Languages/platforms used for Web apps. Any stats? Mamading Ceesay (Jun 26)
- Re: Languages/platforms used for Web apps. Any stats? Mark Susol Ultimate Creative Media (Jun 25)
- RE: Languages/platforms used for Web apps. Any stats? Matt Szubrycht (Jun 24)
- Re: Languages/platforms used for Web apps. Any stats? Andrew van der Stock (Jun 24)
- Re: Languages/platforms used for Web apps. Any stats? focus (Jun 24)
- Re: Languages/platforms used for Web apps. Any stats? Steve McCullough (Jun 26)
- Re: Languages/platforms used for Web apps. Any stats? Rob Lanphier (Jun 25)
- Re: Languages/platforms used for Web apps. Any stats? Gary Warner (Jun 25)
- Re: Languages/platforms used for Web apps. Any stats? prep (Jun 25)
- RE: Languages/platforms used for Web apps. Any stats? Mark Curphey (Jun 25)
- RE: Languages/platforms used for Web apps. Any stats? Steve Slater (Jun 25)
- Re: Languages/platforms used for Web apps. Any stats? Adam Shostack (Jun 25)
- Re: Languages/platforms used for Web apps. Any stats? Ben Sytko (Jun 25)
- RE: Languages/platforms used for Web apps. Any stats? Mark Curphey (Jun 25)
- RE: Languages/platforms used for Web apps. Any stats? Mark Curphey (Jun 25)