WebApp Sec mailing list archives
RE: [OWASP-GUIDE] Question concerning usage of languages for webapps
From: "Chris Todd" <chris () christophertodd com>
Date: Sun, 16 May 2004 21:46:16 -0400
Ofer, While the statistics you cite regarding the distribution of programming languages in commercial web apps are probably accurate (they certainly jive with my experience), I have to admit that I find your bias towards commercial web apps troubling. OWASP does not exist solely to improve the security of commercial web applications, it exists to improve the security of *ALL* web applications, and in that respect PHP is *way* more important than ASP/ASP.NET/.NET/Java, because there are thousands of PHP applications out there that desperately need to be improved, and there are many more PHP-enabled apache web servers than there are IIS servers (see Netcraft). Anyone who cares about the security of the Internet as a whole understands that we need to teach as many people as possible how to write secure web apps, because every insecure web app, wherever it may be on the Internet, and whatever language it is written in, is a possible attack vector against our systems. Every cross site scripting attack that can be used to compromise a client machine, every SQL injection attack that can reveal sensitive data, every web server that gets rooted because of an insecure PHP/Perl/C CGI script, is another platform for launching attacks. While it may sound like a pipe dream to some, I honestly believe that OWASP can make a contribution to the overall security of the Internet by removing the low-hanging fruit hackers use to compromise web apps. Teach web app developers to do just a few things differently, to be just a little paranoid, to validate all input, and the hackers have to work a lot harder. Anything that makes hackers' lives more difficult is a Good Thing(TM) in my book. Therefore, in my opinion (for however many cents it's worth), PHP should be the number one language the Guide focuses on. Of course, it should include coverage of Java, the MS technologies, and probably also Perl, but PHP should receive it's strongest and deepest focus, because that's where the Guide can make the greatest impact. Regards, Chris -----Original Message----- From: Imperva Application Defense Center [mailto:adc () imperva com] Sent: Sunday, May 16, 2004 8:05 AM To: Adrian Wiesmann; webappsec () securityfocus com Subject: RE: [OWASP-GUIDE] Question concerning usage of languages for webapps Dear List, I have to say I find the results troublingm, as they are very open-source oriented, rather than real-world industry oriented. Our company has performed several hundred PT's in the last few years. Only very few were PHP (less than 5). I agree you may find many PHP sites online, but the majority of these sites are free or small sites. Most commercial organizations that run business applications do not use PHP, but rather one of the commercial infrastructures. Same reference goes to perl. Perl has lost most of its popularity in real world web applications. It can still be seen often, again, in non commercial sites, yet it is not as widely used as it was used 5-7 years ago, when CGI's were the main stream of web applcations. On the other hand, I find the low ranking of ASP applications very surprising. This is, of course, an old technology, which is slowly being replaced with ASP.Net, yet is still widely used (and probably still used a lot more than ASP.Net). Therefore, although new applications written from scratch are likely to be written in ASP.Net, there is a lot of code that is still being written in ASP, as part of existing applications, which makes it, in my opinion, probably the most important or second most important infrastructure. It is my belief that such as document should refer to what's mostly used in the industry, and therefore put the two main commercial technologies (mainly ASP/ASP.Net and Java/JSP) as the top priority. As for other content infrastructure, such as ColdFusion, Vignette, DB-Specific environments, etc - There are so many of them, that I think there should be general guidelines, which shold be written clear enough so that developers will be able to deduct from them about the specific technology in use. Sincerely, Ofer Maor Application Defense Center Manager Imperva(tm) Inc. http://www.imperva.com/adc/ -----Original Message----- From: Adrian Wiesmann [mailto:awiesmann () swordlord org] Sent: Friday, May 14, 2004 7:59 PM To: webappsec () securityfocus com Subject: Re: [OWASP-GUIDE] Question concerning usage of languages for webapps Hello list Thank you for your help concerning my question about web application languages usage. Please note that I neither counted the total sum of replies nor is the list below in any way representative. I only use it to decide on which language to cover in the OWASP Guide v2. Here are the results in one simple list. The numbers below the language names represent the number of time the language was mentioned (so one user could mention multiple languages, but every language only one time). One speciality is the ASP.NET line. The number left of the equals sign is the total number of mentionings and the numbers on the right define which languages are used within the .NET framework. This means that one developer can use both c# and vb.net. (But this counts only once.) PHP 14 Java/JSP 10 Perl 9 (one person said perl for backend purposes and php for frontend) ASP.NET (undefined/C#/VB.NET) 9 = 5 / 3 / 2 ASP 5 Python 3 PL/SQL 2 TSQL 2 ColdFusion 1 Sybase PowerScript 1 TCL 1 C 1 Delphi 1 JavaScript 1 The interpretation of the result is yours :) Thanks again for your help, Adrian
Current thread:
- RE: [OWASP-GUIDE] Question concerning usage of languages for webapps Imperva Application Defense Center (May 16)
- Re: [OWASP-GUIDE] Question concerning usage of languages for webapps Adrian Wiesmann (May 16)
- RE: [OWASP-GUIDE] Question concerning usage of languages for webapps Chris Todd (May 17)
- <Possible follow-ups>
- RE: [OWASP-GUIDE] Question concerning usage of languages for webapps Imperva Application Defense Center (May 17)
- RE: [OWASP-GUIDE] Question concerning usage of languages for webapps Imperva Application Defense Center (May 17)