WebApp Sec mailing list archives
Re: Languages/platforms used for Web apps. Any stats?
From: Mark Susol Ultimate Creative Media <msusol () ultimatecreativemedia com>
Date: Sat, 25 Jun 2005 09:41:39 -0400
Invalid characters removed from From: Mark Susol | Ultimate Creative Media On 6/25/05 12:00 AM, "Matt Szubrycht" <matt () bannermasterinc com> wrote:
Ben, It's probably because of the easy learning curve offered by PHP. Easy 'hello world' leads to popularity it seems. Just my 2 cents, Matt -----Original Message----- From: Benjamin Livshits [mailto:livshits () cs stanford edu] Sent: Friday, June 24, 2005 12:46 PM To: webappsec () securityfocus com Subject: Languages/platforms used for Web apps. Any stats? Are there any good studies of what fraction of Web apps are written in Java/J2EE vs C#/.NET vs PHP, etc. Many vulnerabilities reported on SecurityFocus.com daily involve PHP programs. I was wondering if that's a reflection of the fact that many Web apps out there are written in PHP. Or is it that vulnerabilities in proprietary apps that is written in Java or C# simply doesn't make it to SecurityFocus.com? Thanks. -Ben
May I offer this perspective: I believe this is not so much a function of the language used, but an "unintended consequence" of the open source movement? I don't think the problem so much is that the language is easy to learn or that these folks deployed insecure programming, but that the code is OPEN and you can STUDY it and find the vulnerabilities at your leisure. And with the success of google, once you find an exploit its so easy to find all the sites using the same software most likely several versions outdated and its really easy pickings. I subscribe to this list just to get the heads up on anything I'm using off the open source shelf. PHP is probably the fastest growing language if you look at how many scripts are populating sites like hotscripts.com, but there are also teams of developers using PHP in a security minded deployment that still have problems. PhpBB software is a big one for instance. They just recently took the version # out of the footer code so google won't find the outdated sites so easily. For this reason I prefer to make my own custom php applications so my code isn't out there to be studied. However for something like a forum, you kinda have to hope those programming are keeping up with this unintended consequence of having their code hanging out there for all to study. Sometimes is better knowing you paid for that security rather than going the open source route. With that said, I'm still using some stuff I bought that is in php and the code is out there enough to be studied. Mark Susol
Current thread:
- Languages/platforms used for Web apps. Any stats? Benjamin Livshits (Jun 24)
- RE: Languages/platforms used for Web apps. Any stats? Matt Szubrycht (Jun 24)
- Re: Languages/platforms used for Web apps. Any stats? Mark Susol Ultimate Creative Media (Jun 25)
- Re: Languages/platforms used for Web apps. Any stats? Steve McCullough (Jun 26)
- Re: Languages/platforms used for Web apps. Any stats? Jesse G. Lands (Jun 26)
- Re: Languages/platforms used for Web apps. Any stats? Mamading Ceesay (Jun 26)
- Re: Languages/platforms used for Web apps. Any stats? Mark Susol Ultimate Creative Media (Jun 25)
- RE: Languages/platforms used for Web apps. Any stats? Matt Szubrycht (Jun 24)
- Re: Languages/platforms used for Web apps. Any stats? Andrew van der Stock (Jun 24)
- Re: Languages/platforms used for Web apps. Any stats? focus (Jun 24)
- Re: Languages/platforms used for Web apps. Any stats? Steve McCullough (Jun 26)
- Re: Languages/platforms used for Web apps. Any stats? Rob Lanphier (Jun 25)
- Re: Languages/platforms used for Web apps. Any stats? Gary Warner (Jun 25)
- Re: Languages/platforms used for Web apps. Any stats? prep (Jun 25)
- RE: Languages/platforms used for Web apps. Any stats? Mark Curphey (Jun 25)