Re: [OWASP-GUIDE] Question concerning usage of languages for webapps

[Adrian Wiesmann <awiesmann () swordlord org>]

> I have to say I find the results troublingm, as they are very
> open-source oriented, rather than real-world industry oriented. 

As I mentioned before, the results were "everything else than
representative". 

What I wanted to see with this short questionaire was to get the general
feeling and find out if there is anything we have forgotten or missed.
Like TCL or having Perl as backend. 

I actually tried to omit to explain in detail what the result means to the
Guide v2. But here we go anyway:

There are 3 ways to do web applications (of course there are more, but we
can break things down to 3 types. Or better 4 but Client Side Scripting is
not really an option for a complete Web Application...):

- Scripting (ASP, PHP, Perl, ...)
- Enhanced Applications (C, ... via CGI or something equal)
- Frameworks (Java, .NET)

While all these three share some common problems and mitigation tactics,
they also have some very specific problems. This results in the Guide v2
having to cover all these 3 types. 

But it does not really matter if we cover ASP or PHP since both share some
problems and best practices. Of course there are always attacks which are
language specific but these will not be covered in Guide v2 for very
obvious reasons. 


> It is my belief that such as document should refer to what's mostly used
> in the industry, and therefore put the two main commercial technologies
> (mainly ASP/ASP.Net and Java/JSP) as the top priority. 

ASP != ASP.NET as mentioned above. But you are right and in a way like
described above the Guide v2 will cover that topic.

Regards,
Adrian

P.S: The result from the questionary allows a few conclusions which I
leave to the reader to choose from:

- webappsec members are mostly from the open source community
- developers of commercial applications are not interested in web security
- the result was representative

:)