[Freedombox-discuss] PHP Alternatives?
Ben Mendis
dragonwisard at gmail.com
Mon Jul 16 18:06:04 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
In his 2010 Keynote at The Next HOPE, Dan Kaminsky pointed out the
following:
"The bottom-line is that there just isn't a largemeasurable difference
in the security posturesfrom language to language or framework
toframework --specifically Microsoft ASP Classic,Microsoft .NET, Java,
Cold Fusion, PHP, and Perl. Sure in theory one might be
significantlymore secure than the others, but when deployedon the Web
it's just not the case."
- --Jeremiah Grossman, CTO, White HatSecurity
(a guy who has audited a lot of web applications)
http://www.scribd.com/doc/33001026/Interpolique
And Dan Kaminsky and Jeremiah Grossman are not the only two security
guys who have come to this conclusion.
Sure, PHP isn't my favorite language... but blaming bad code on PHP, and
assuming that changing the language is a panacea for security, is pretty
silly. I've seen bad code in nearly every language I've ever
encountered. Even in the Haskell world you can find examples of bad,
insecure code. PHP isn't inheirently impossible to secure, most of the
vulnerabilities people find in the PHP webapps are things that could
affect webapps written in _any_ language, not something inheirent to the
PHP platform.
On Sun, 15 Jul 2012, Jonas Smedegaard wrote:
> On 12-07-15 at 10:26am, Melvin Carvalho wrote:
>> On 15 July 2012 03:08, Nick M. Daly <nick.m.daly at gmail.com> wrote:
>>
>>> So, since there is a lot of concern about including PHP on the
>>>
>>
>> What's are the issues with PHP?
>
> The issue with PHP is the high risk of security flaws.
>
> It is a mixture of a technical and social issue: The code itself has a
> track record of many horrible bugs and is easy to write buggy code with,
> and the community around the language generally encourage a sloppy
> coding style not caring enough about security flaws.
>
> PHP is quite popular, but contrary to big PHP using sites like Facebook,
> FreedomBox has no sysadmin to check the log files and intervene if (or
> when!) something goes wrong.
>
> I work as a sysadmin but charge clients independently on time spent.
> That gives an incentive to invest my time in optimal _initial_ setup and
> use least possible time (ideally none!) on _maintenance_.
>
> So I try hard to avoid languages like PHP, and also rapid frameworks
> like Rails (Ruby) and Django (Python), because IMO they have similar
> worrisome patterns of encouraging sloppy coding, even if the underlying
> language may have a sane security-aware code and culture.
>
>
> - Jonas
>
> --
> * Jonas Smedegaard - idealist & Internet-arkitekt
> * Tlf.: +45 40843136 Website: http://dr.jones.dk/
>
> [x] quote me freely [ ] ask before reusing [ ] keep private
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQEcBAEBAgAGBQJQBFgMAAoJEMco5sYyM+0wFpIIAKXX6eniPTiu97/uFskmqgkl
bZC2w5KzobWVSVnfT8zklTUFX2ZZBlv+O3P0tcyiZWw4T+YOG8WPWpMVw/SdTBSW
RBoGXQAThqjl0qNbia34Rkt3pAfuq+607XHUPsUccdjqVQZd70oSz4b8+JMvoZct
2BPn1alD6o2+DUep9xQpNn0SM/AURUokF2fj/wDi4/cGVx0xpsPWB0RWxbsiseIB
CshDLUG2ExysFA3xZke/dfNUk/rUCzOHp8L4uvMPbnPCmqyHsuBrlRY9EnyZ8JiI
hSPKSTkzRq8vhZFZUwwo5v7OH/MDV2zqminZbHbRe6IYzQptOuz94+5GflxizT0=
=CoHN
-----END PGP SIGNATURE-----
More information about the Freedombox-discuss
mailing list