Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Languages/platforms used for Web apps. Any stats?

from [Mark Susol Ultimate Creative Media] Network Security [Permanent Link]
Subject: Re: Languages/platforms used for Web apps. Any stats?
Date: Sat, 25 Jun 2005 09:41:39 -0400 
Invalid characters removed from From: Mark Susol | Ultimate Creative Media

On 6/25/05 12:00 AM, "Matt Szubrycht" <matt@bannermasterinc.com> wrote:


Ben,

It's probably because of the easy learning curve offered by PHP.  Easy
'hello world' leads to popularity it seems.

Just my 2 cents,
Matt


-----Original Message-----
From: Benjamin Livshits [mailto:livshits@cs.stanford.edu]
Sent: Friday, June 24, 2005 12:46 PM
To: webappsec@securityfocus.com
Subject: Languages/platforms used for Web apps. Any stats?


Are there any good studies of what fraction of Web apps are written in
Java/J2EE vs C#/.NET vs PHP, etc.

Many vulnerabilities reported on SecurityFocus.com daily involve PHP
programs. I was wondering if that's a reflection of the fact that many Web
apps out there are written in PHP. Or is it that vulnerabilities in
proprietary apps that is written in Java or C# simply doesn't make it to
SecurityFocus.com?

Thanks.
-Ben


May I offer this perspective:

I believe this is not so much a function of the language used, but an
"unintended consequence" of the open source movement?

I don't think the problem so much is that the language is easy to learn or
that these folks deployed insecure programming, but that the code is OPEN
and you can STUDY it and find the vulnerabilities at your leisure. And with
the  success of google, once you find an exploit its so easy to find all the
sites using the same software most likely several versions outdated and its
really easy pickings. I subscribe to this list just to get the heads up on
anything I'm using off the open source shelf.

PHP is probably the fastest growing language if you look at how many scripts
are populating sites like hotscripts.com, but there are also teams of
developers using PHP in a security minded deployment that still have
problems. PhpBB software is a big one for instance. They just recently took
the version # out of the footer code so google won't find the outdated sites
so easily.

For this reason I prefer to make my own custom php applications so my code
isn't out there to be studied. However for something like a forum, you kinda
have to hope those programming are keeping up with this unintended
consequence of having their code hanging out there for all to study.

Sometimes is better knowing you paid for that security rather than going the
open source route. With that said, I'm still using some stuff I bought that
is in php and the code is out there enough to be studied.


Mark Susol
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Languages/platforms used for Web apps. Any stats?, Mark Curphey
Next by Date:  RE: Languages/platforms used for Web apps. Any stats?, Steve Slater
Previous by Thread:  RE: Languages/platforms used for Web apps. Any stats?, Matt Szubrycht
Next by Thread:  Re: Languages/platforms used for Web apps. Any stats?, Steve McCullough
Indexes:  [Date] [Thread] [Top] [All Lists]