Re: PHP as a secure language? PHP worms? [was: Re: new linux malware]

["Matthew Schiros" <schiros () gmail com>]

> That doesn't seem to follow, to me.  You cited the Linux as another
> example of a product with flaws, so it seems that you thought of it
> as being separate.  But now you argue that because I said that the
> Linux community has less patience for design flaws that PHP's success
> supports your point.  But while there's overlap between the community
> of people driving Linux development and the community of people
> driving PHP development, they are not the same community.

Oh, I apologize.  I misunderstood your point Re: Linux.  I thought it
was a seperate assertion, not connected to my statement that Linux
also suffers from security issues.

You're right, of course, that they aren't the same community, but the
overlap is not inconsiderable.  Apart from the masochists who run PHP
on Windows, they're probably almost identical.  Now, it's different
tools for different jobs, so it goes to figure that people will be a
lot more vigilant when it comes to making sure an operating system is
secure than they will a scripting language, but syadmins, the people
who will be dealing with the actual design flaws of PHP, as opposed to
the coders who deal with the implementation flaws, are likely to be
relatively security-conscious individuals.  That may be a mistaken
assumption, but I doubt it.  With that in mind, we can safely assume
that the necessary work to keep a system that supports PHP secure
isn't overwhelming, or there never would have been buy-ins from the
sysadmins in the first place.  As a counter-example, how many systems
run Tomcat, even though Java is without question a better development
platform than PHP?  More probably would run it if it weren't for it's
myriad of issues, both in security and stability.  Again, this is not
a claim that PHP is a miracle engine, just that it's not as bad as
people make it out to be, and that the security problems associated
with it are the same as you'd find in any web engine.

> You're right that we shouldn't apply a different standard, but it's
> not clear to me that we are.  In Java, for example, a lot of thought
> has been put into designing the language and platform so that they
> lead the programmer into writing more secure code.  Frankly such
> efforts are often misguided, and Ada is probably a good example of a
> bad effort to use the language to save the programmer from himself.
> I think Java has done a good job of guiding the programmer toward
> better design, without getting in the way, too much.

Conceded.  PHP could do more to point developers in the direction of
secure coding, but that's not really relevant to this particular point
of contention, which, at least from my angle, seems to be the inherent
insecurity of PHP as compared to other languages.  You can write
insecure Java code, you can write insecure PHP code, and while
instances of the latter are far more prevalent than instances of the
former, it's not on the language architects to tackle that problem,
it's on individual developers.  It would be nice, though.

> I'm not saying that PHP should be banned from the internet.  But I
> am saying that there are meaningful standards that other languages
> can meet that PHP can't.  I also have to admit that PHP has a
> design goal that Java does not, and that goal is the ability to
> support very rapid development of programs to generate dynamic
> web content.  Languages that support quick and dirty development
> face different challenges than those designed for large, formal
> projects.

Again, conceded.

> I'm also saying that it's probably a mistake to point to the flaws
> in these other platforms as a way to dismiss security related
> criticisms of the design of PHP.  In particular, I don't think
> security concerns were ever as central to the design of PHP the
> way that they were for Java.  I think a lot of us in the security
> community would be happier with PHP if there had been more thought
> about security from the very start.  And whatever weaknesses Java
> may have, it does at least show that designing in security from
> the start can have a profound effect on a language.

I'm not dismissing security related concerns with PHP, not in the
least.  I'm fully supportive of all attempts by anybody to bring light
to security problems in any language or program.  I just think that,
when it comes to PHP, people are very willing to throw the baby out
with the bathwater, and consider PHP either valueless, or, in some
cases, outright disadvantageous because of poor implementation by
developers that they then translate into a structural flaw with the
language.  Yes, security SHOULD be a consideration when designing a
language.  That it wasn't in the case of PHP is unfortunate, but
hardly fatal.

> Yes, we should be grateful for that.  8-)  And things could be even
> worse;  We should be glad that PHP doesn't include ActiveX.

*Brain Explodes*