RE: [OWASP-GUIDE] Question concerning usage of languages for webapps

["Chris Todd" <chris () christophertodd com>]

Ofer,

While the statistics you cite regarding the distribution of programming
languages in commercial web apps are probably accurate (they certainly jive
with my experience), I have to admit that I find your bias towards
commercial web apps troubling.

OWASP does not exist solely to improve the security of commercial web
applications, it exists to improve the security of *ALL* web applications,
and in that respect PHP is *way* more important than ASP/ASP.NET/.NET/Java,
because there are thousands of PHP applications out there that desperately
need to be improved, and there are many more PHP-enabled apache web servers
than there are IIS servers (see Netcraft).

Anyone who cares about the security of the Internet as a whole understands
that we need to teach as many people as possible how to write secure web
apps, because every insecure web app, wherever it may be on the Internet,
and whatever language it is written in, is a possible attack vector against
our systems.  Every cross site scripting attack that can be used to
compromise a client machine, every SQL injection attack that can reveal
sensitive data, every web server that gets rooted because of an insecure
PHP/Perl/C CGI script, is another platform for launching attacks.

While it may sound like a pipe dream to some, I honestly believe that OWASP
can make a contribution to the overall security of the Internet by removing
the low-hanging fruit hackers use to compromise web apps.  Teach web app
developers to do just a few things differently, to be just a little
paranoid, to validate all input, and the hackers have to work a lot harder.
Anything that makes hackers' lives more difficult is a Good Thing(TM) in my
book.

Therefore, in my opinion (for however many cents it's worth), PHP should be
the number one language the Guide focuses on.  Of course, it should include
coverage of Java, the MS technologies, and probably also Perl, but PHP
should receive it's strongest and deepest focus, because that's where the
Guide can make the greatest impact.

Regards,
Chris

-----Original Message-----
From: Imperva Application Defense Center [mailto:adc () imperva com] 
Sent: Sunday, May 16, 2004 8:05 AM
To: Adrian Wiesmann; webappsec () securityfocus com
Subject: RE: [OWASP-GUIDE] Question concerning usage of languages for
webapps


Dear List,

I have to say I find the results troublingm, as they are very open-source
oriented, rather than real-world industry oriented. 

Our company has performed several hundred PT's in the last few years. Only
very few were PHP (less than 5). I agree you may find many PHP sites online,
but the majority of these sites are free or small sites. Most commercial
organizations that run business applications do not use PHP, but rather one
of the commercial infrastructures. Same reference goes to perl. Perl has
lost most of its popularity in real world web applications. It can still be
seen often, again, in non commercial sites, yet it is not as widely used as
it was used 5-7 years ago, when CGI's were the main stream of web
applcations. 

On the other hand, I find the low ranking of ASP applications very
surprising. This is, of course, an old technology, which is slowly being
replaced with ASP.Net, yet is still widely used (and probably still used a
lot more than ASP.Net). Therefore, although new applications written from
scratch are likely to be written in ASP.Net, there is a lot of code that is
still being written in ASP, as part of existing applications, which makes
it, in my opinion, probably the most important or second most important
infrastructure. 

It is my belief that such as document should refer to what's mostly used in
the industry, and therefore put the two main commercial technologies (mainly
ASP/ASP.Net and Java/JSP) as the top priority. As for other content
infrastructure, such as ColdFusion, Vignette, DB-Specific environments, etc
- There are so many of them, that I think there should be general
guidelines, which shold be written clear enough so that developers will be
able to deduct from them about the specific technology in use.

Sincerely,

Ofer Maor
Application Defense Center Manager
Imperva(tm) Inc.
http://www.imperva.com/adc/


-----Original Message-----
From: Adrian Wiesmann [mailto:awiesmann () swordlord org] 
Sent: Friday, May 14, 2004 7:59 PM
To: webappsec () securityfocus com
Subject: Re: [OWASP-GUIDE] Question concerning usage of languages for
webapps


Hello list

Thank you for your help concerning my question about web application
languages usage. Please note that I neither counted the total sum of replies
nor is the list below in any way representative. I only use it to decide on
which language to cover in the OWASP Guide v2.

Here are the results in one simple list. The numbers below the language
names represent the number of time the language was mentioned (so one user
could mention multiple languages, but every language only one time). One
speciality is the ASP.NET line. The number left of the equals sign is the
total number of mentionings and the numbers on the right define which
languages are used within the .NET framework. This means that one developer
can use both c# and vb.net. (But this counts only
once.)

PHP
14

Java/JSP
10

Perl
9
(one person said perl for backend purposes and php for frontend)

ASP.NET (undefined/C#/VB.NET)
9 = 5 / 3 / 2

ASP
5

Python
3

PL/SQL
2

TSQL
2

ColdFusion
1

Sybase PowerScript
1

TCL
1

C
1

Delphi
1

JavaScript
1

The interpretation of the result is yours :)

Thanks again for your help,
Adrian