I don't know of any stats, but if anyone was to make a study, that's
where I'd focus on.
However, saying that:
* I review J2EE finance apps used in very large institutions. I find
plenty of problems which need fixing
* I look after a PHP forum, which definitely could improve
* In my previous job, the most vulnerable app I ever reviewed was
written in ASP in VBScript
I don't think the language has much to do with it beyond basic
security posture. PHP could do a lot to redress the problems, for
example, by:
* making echo do htmlentities by default, and having a special echo /
print which doesn't in case you really meant to spit out HTML
* deprecating the old function based MySQL drivers (ie warnings when
E_ALL is used) in favor of the MySQLi drivers or PDO which have
prepared statements
* in the next version of PHP, remove support for register_globals and
make url_fopen permanently false
* Remove implicit declarations and add optional strong typing which
really means it
The basic security posture of PHP has been improving, but honestly,
it really depends on the quality of the coders and if they are aware
of the security options open to them. The other thing is that there
is a lot of PHP code out there written in the PHP 3 days which sorta
runs okay on PHP 4 and 5, which shouldn't. PHP 3 really was a
security nightmare - everything in the interpreter was set to be the
most insecure possible posture with maximal attack surface area.
Andrew
On 25/06/2005, at 5:45 AM, Benjamin Livshits wrote:
Are there any good studies of what fraction of Web apps are written in
Java/J2EE vs C#/.NET vs PHP, etc.
Many vulnerabilities reported on SecurityFocus.com daily involve PHP
programs. I was wondering if that's a reflection of the fact that
many Web
apps out there are written in PHP. Or is it that vulnerabilities in
proprietary apps that is written in Java or C# simply doesn't make
it to
SecurityFocus.com?
Thanks.
-Ben
