[ale] Seven Deadly Sins

Christopher Bergeron christopher at bergeron.com
Thu Jun 12 23:49:02 EDT 2003 

Transam wrote:

>Regarding PHP, I recommended against using it because the program itself
>has had a recent history of lots of severe security vulnerabilities.
>Thus, even if one uses it correctly, one's system is at significant
>risk of compromise.  I am fond of saying that security is not convenient.
>In this case, it means find another solution.  I put IIS in the same
>category, but more so.
>
Too late.  The PHP genie is out of the bottle.  It's FAST, it's EASY, 
and it's suprisingly powerful.  Not using it for web development because 
it "has had a recent history of ... security vulnerabilities" is roughly 
equivalent to asking people not to use apache, dns, or ssh (those 
packages have also recently been found to have serious security 
issues/bugs).  In fact, a more poignant arguement would be that we 
shouldn't use C as a programming language because it suffers from 
strcmp() (and many other) issues that don't check variables before 
passing them blindly into memory.  The language itself shouldn't be the 
target, the coded product should be.

>In the book I also give recommendations for secure programming techniques
>that include having all code audited by someone knowledgeable in auditing
>for security problems.  I also point out that many programmers who do
>CGI programming, including PHP, are not knowledgeable in how to write
>code that avoids security vulnerabilities.
>
I wholeheartedly agree with this point since my php programmer and I are 
constantly duke'ing it out.  He want's to just get the code done, and I 
always seem to end up as the bad guy whom is constantly throwing 
"hurdles" in his way because I don't want to blindly accept (or trust) 
input from users, cookies, or ANYTHING that I/we/our_code don't have 
complete control over.  However, as a fellow PHP coder (and net/sec 
admin), I think that the only real pseudo-advantage that the PHP 
alternatives have to offer is that they are obscure.  As we all know, 
security _can't_ be obtained through obscurity.  cgi, perl, et al; have 
not been adopted as thoroughly as PHP has (to date) for web programming; 
and as a direct result, I maintain that PHP is targeted more often.  A 
comparison of adoption-TO-critical-vulnerabilities, or 
market-saturation-TO-compromised-hosts, etc. would probably be a much 
more convincing arguement.

However, as always, a good relationship between coders and 
network/security guys is the winning combination.  Cutting corners on 
either side is a recipe for disaster; and Corporate Exec's need to 
realize that if they can't accomodate both situations (rapid development 
_and_ secure coding), they're asking for a corporate disaster.

>For those that don't want to take my word, have a look, if you dare, at:
>
>     http://www.na-tech.com/
>
>That web site presently is compromised and "owned" by a cracker.
>It happens to be IIS rather than PHP.  There may be a risk to
>vulnerable browsers.  (Thanks to Jonathan Glass who told me about it.)
>
Why post an IIS hacked site as an example in a PHP-dominant 
discussion/email-thread _after_ stating that you trust IIS _less_ than 
PHP?  Wouldn't an equivalent link of a PHP hacked site solidify your 
point more concretely?

-CB


P.S.

Bob - please note that I don't intend any disrespect here; I simply find 
your logic flawed (or most likely unclear) and as a PHP semi-enthusiast, 
I feel that a defense was in order. We can't turn back the clock, but we 
can hopefully help educate our peers (the few that aren't in the know 
[ALE is an indisputedly clued in gang]), and help get the 
security/secure coding point across...

Best regards,

_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list