Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: PHP as a secure language? PHP worms? [was: Re: new linux malware]

from [Matthew Schiros] Network Security [Permanent Link]
Subject: Re: PHP as a secure language? PHP worms? [was: Re: new linux malware]
Date: Fri, 24 Feb 2006 15:13:56 -0600 
PHP, like any and all projects, does indeed have security flaws.  So
does MySQL.  So does Linux.  So does sshd.  So does Windows.  To claim
that we should abandon any individual service simply because it has
security bugs is absurd.  Yes, there are non-trivial problems with
PHP's memory management, but the same could easily be said for Java as
well.

I don't really get Gadi's point.  Is he claiming that keeping up to
date on security fixes is too much of a hassle for him?  Or is he
claiming that he doesn't want to use PHP applications, because they
are often riddled with security holes?  Or is he just bitching in
general that there's insecure software out there?  It seems like it's
probably the latter.  When's the last time you saw a super-secure
program written in Perl, or ColdFusion, or ASP, or any other web
language for that matter?  People do buffer overflow attacks on Apache
all the time, is he planning on abandoning that?

Security requires vigilance, get over it.

On 2/22/06, Kevin Waterson <kevin@oceania.net> wrote:

This one time, at band camp, Gadi Evron <ge@linuxbox.org> wrote:



3. Staying on top of new PHP vulnerabilities has become impossible,
popping around everywhere.


What vulnerabilities in PHP?
Are implying the fault is within the language itself?
This is akin to saying C has vulnerabilites because some script kiddie
wrote a poor application.



4. Determining how secure a PHP application is, looking at the code and
for how silly past vulnerabilities were (i.e. looking at the coder
rather than the code) is now more important than the actual application.


As with all web based technologies, security should be the foundation of the 
application


Much like their self criticism said, PHP needs to grow to a far more
secure language, much like we need to chose more carefully what PHP
software we use.

Which self critism is this?



Some of us have been joking for a while about creating a script to
choose from different paragraph we create, and email bugtraq
re-assembling the randomly with a new PHP bug and a random PHP
application name every few hours. Would any of us be able to readily
tell the difference?


Perhaps we can do the same for linux kernel problems and blame it on C?

Kind regards
Kevin


--
"Democracy is two wolves and a lamb voting on what to have for lunch.
Liberty is a well-armed lamb contesting the vote."
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Vulnerabilites in new laws on computer hacking, Jure Koren
Next by Date:  Research paper on covert channels, matthijs
Previous by Thread:  Re: PHP as a secure language? PHP worms? [was: Re: new linux malware], Jamie Riden
Next by Thread:  [operational update] Looking behind the smoke screen of the Internet, Gadi Evron
Indexes:  [Date] [Thread] [Top] [All Lists]