Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: PHP as a secure language? PHP worms? [was: Re: new linux malware]

from [Thomas M. Payerle] Network Security [Permanent Link]
Subject: Re: PHP as a secure language? PHP worms? [was: Re: new linux malware]
Date: Thu, 23 Feb 2006 15:38:09 -0500 (EST)
1. PHP is the "serious" or at least open-source/Linux/security freak's choice for web development. Mine as well (although as many still say, Perl does a better job).
While PHP is extremely popular, especially in open-source and Linux communities,I am not sure it qualifies as the defacto choice of "serious" web developers.
And I did not think it was as popular in the security community (when I occasionally scan one of the reports on the frequent PHP based applications
that grace this list, I thought exploit code is as often as not given in Perl:)

2. Developing secure applications in PHP is difficult, as one of PHP's creators said recently - even to him after years of trying.
The number of PHP applications getting reported on bugtraq would seem to
support this, although likely also contributed to the fact that it is popular,
and perhaps that it is (or at least has the reputation of being) of being easy to program, leading to programs written by people without understanding
of security implications.

My personal knowledge of PHP is somewhat meager, but having had to install
it recently for a developer I find the philosophy of the PHP security options
to be somewhat odd.  It almost seemed like the emphasis was on distrusting
the programmer rather than the person running the program.  I think it would
strongly benefit from the Perlish concept of data tainting.

3. Staying on top of new PHP vulnerabilities has become impossible, popping around everywhere. 
While I concede I am less than happy about the frequency with which patched
versions of php come out, and most versions include some security related
patches, I do not think it is impossible.  Furthermore, most of the "security"
patches have been rather localized, and affect only a small number of functions
and often only in rather specific circumstances, and with some knowledge of the
PHP applications running on your system you can often leap frog over some
of the versions.

Most bugtraq messages with PHP in the subject appear to be holes in specific applications, usually due to programming errors on the part of the application
author. This does not mean the language is inherently insecure; although it
may indicate that it is difficult to write secure PHP code. It could also
mean that PHP is easy enough to program that a lot of people without knowledge
of how to program securely are writing PHP code.

Tom Payerle Dept of Physics payerle@physics.umd.edu
University of Maryland (301) 405-6973
College Park, MD 20742-4111 Fax: (301) 314-9525

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Vulnerabilites in new laws on computer hacking, Craig Wright
Next by Date:  Re: H&R Block contact, Stan Bubrouski
Previous by Thread:  Re: PHP as a secure language? PHP worms? [was: Re: new linux malware], Christine Kronberg
Next by Thread:  Re: PHP as a secure language? PHP worms? [was: Re: new linux malware], Kevin Waterson
Indexes:  [Date] [Thread] [Top] [All Lists]