RE: [OWASP-GUIDE] Question concerning usage of languages for webapps

["Imperva Application Defense Center" <adc () imperva com>]

Dear List,

I have to say I find the results troublingm, as they are very
open-source oriented, rather than real-world industry oriented. 

Our company has performed several hundred PT's in the last few years.
Only very few were PHP (less than 5). I agree you may find many PHP
sites online, but the majority of these sites are free or small sites.
Most commercial organizations that run business applications do not use
PHP, but rather one of the commercial infrastructures. Same reference
goes to perl. Perl has lost most of its popularity in real world web
applications. It can still be seen often, again, in non commercial
sites, yet it is not as widely used as it was used 5-7 years ago, when
CGI's were the main stream of web applcations. 

On the other hand, I find the low ranking of ASP applications very
surprising. This is, of course, an old technology, which is slowly being
replaced with ASP.Net, yet is still widely used (and probably still used
a lot more than ASP.Net). Therefore, although new applications written
from scratch are likely to be written in ASP.Net, there is a lot of code
that is still being written in ASP, as part of existing applications,
which makes it, in my opinion, probably the most important or second
most important infrastructure. 

It is my belief that such as document should refer to what's mostly used
in the industry, and therefore put the two main commercial technologies
(mainly ASP/ASP.Net and Java/JSP) as the top priority. As for other
content infrastructure, such as ColdFusion, Vignette, DB-Specific
environments, etc - There are so many of them, that I think there should
be general guidelines, which shold be written clear enough so that
developers will be able to deduct from them about the specific
technology in use.

Sincerely,

Ofer Maor
Application Defense Center Manager
Imperva(tm) Inc.
http://www.imperva.com/adc/


-----Original Message-----
From: Adrian Wiesmann [mailto:awiesmann () swordlord org] 
Sent: Friday, May 14, 2004 7:59 PM
To: webappsec () securityfocus com
Subject: Re: [OWASP-GUIDE] Question concerning usage of languages for
webapps


Hello list

Thank you for your help concerning my question about web application
languages usage. Please note that I neither counted the total sum of
replies nor is the list below in any way representative. I only use it
to decide on which language to cover in the OWASP Guide v2.

Here are the results in one simple list. The numbers below the language
names represent the number of time the language was mentioned (so one
user could mention multiple languages, but every language only one
time). One speciality is the ASP.NET line. The number left of the equals
sign is the total number of mentionings and the numbers on the right
define which languages are used within the .NET framework. This means
that one developer can use both c# and vb.net. (But this counts only
once.)

PHP
14

Java/JSP
10

Perl
9
(one person said perl for backend purposes and php for frontend)

ASP.NET (undefined/C#/VB.NET)
9 = 5 / 3 / 2

ASP
5

Python
3

PL/SQL
2

TSQL
2

ColdFusion
1

Sybase PowerScript
1

TCL
1

C
1

Delphi
1

JavaScript
1

The interpretation of the result is yours :)

Thanks again for your help,
Adrian