[ale] Seven Deadly Sins

Geoffrey esoteric at 3times25.net
Fri Jun 13 05:51:56 EDT 2003 

Christopher Bergeron wrote:
> Transam wrote:
> 
>> Regarding PHP, I recommended against using it because the program itself
>> has had a recent history of lots of severe security vulnerabilities.
>> Thus, even if one uses it correctly, one's system is at significant
>> risk of compromise.  I am fond of saying that security is not convenient.
>> In this case, it means find another solution.  I put IIS in the same
>> category, but more so.
>>
> Too late.  The PHP genie is out of the bottle.  It's FAST, it's EASY, 
> and it's suprisingly powerful.  Not using it for web development because 
> it "has had a recent history of ... security vulnerabilities" is roughly 
> equivalent to asking people not to use apache, dns, or ssh (those 
> packages have also recently been found to have serious security 
> issues/bugs).  In fact, a more poignant arguement would be that we 
> shouldn't use C as a programming language because it suffers from 
> strcmp() (and many other) issues that don't check variables before 
> passing them blindly into memory.  The language itself shouldn't be the 
> target, the coded product should be.

There's a difference between using a language incorrectly and using a 
tool that has a known exploit.  Further, alot depends on the number of 
vulnerabilities, and ease with which they can be exploited.  As we all 
know ssh has had a vulnerability or two, but I'm sure we all still use 
it.  On the other hand, products that demonstrate a complete lack of 
security conscious, are ones I most definitely steer clear of (can we 
say Microsoft?)

> 
>> In the book I also give recommendations for secure programming techniques
>> that include having all code audited by someone knowledgeable in auditing
>> for security problems.  I also point out that many programmers who do
>> CGI programming, including PHP, are not knowledgeable in how to write
>> code that avoids security vulnerabilities.
>>
> I wholeheartedly agree with this point since my php programmer and I are 
> constantly duke'ing it out.  He want's to just get the code done, and I 
> always seem to end up as the bad guy whom is constantly throwing 
> "hurdles" in his way because I don't want to blindly accept (or trust) 
> input from users, cookies, or ANYTHING that I/we/our_code don't have 
> complete control over.

I would have a huge problem with a programmer who you have to constantly 
oversee because of these issues.  If he/she is not learning from you 
head banging sessions, then he/she should be looking for a job.  Maybe 
she/he is, but you didn't seem to indicate as such.

> However, as a fellow PHP coder (and net/sec 
> admin), I think that the only real pseudo-advantage that the PHP 
> alternatives have to offer is that they are obscure.  As we all know, 
> security _can't_ be obtained through obscurity.  cgi, perl, et al; have 
> not been adopted as thoroughly as PHP has (to date) for web programming;

What????  I don't have the stats, but if you do, I'd like to see them. 
Perl was around a long time before php showed up on the internet.  I 
find it hard to believe that php usage exceeds perl.

> However, as always, a good relationship between coders and 
> network/security guys is the winning combination.  Cutting corners on 
> either side is a recipe for disaster; and Corporate Exec's need to 
> realize that if they can't accomodate both situations (rapid development 
> _and_ secure coding), they're asking for a corporate disaster.

And there are tons of them out there.

-- 
Until later: Geoffrey		esoteric at 3times25.net

The latest, most widespread virus?  Microsoft end user agreement.
Think about it...

_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list