[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200606242242.k5OMgdUI029955@caligula.anu.edu.au>
Date: Sun, 25 Jun 2006 08:42:39 +1000 (Australia/ACT)
From: Darren Reed <avalon@...igula.anu.edu.au>
To: jmullee@...oo.com
Cc: bugtraq@...urityfocus.com
Subject: Re: PHP security (or the lack thereof)
In some mail from john mullee, sie said:
>
> --- Darren Reed <avalon@...igula.anu.edu.au> wrote:
> > From my own mail archives, PHP appears to make up at least 4%
> > of the email to bugtraq I see - or over 1000 issues since 1995,
> > out of the 25,000 I have saved.
> >
> > People complain about applications like sendmail...in the same
> > period, it has been resopnsible for less than 200.
> >
> > Do we have a new contender for worst security offender ever
> > written ?
>
> I guess most of the remaining offending apps were written in C: as much as 96% ?!!
> (including basically all of microsoft's stuff!!)
>
> Surely the least secure language of all time !!!
>
> Note also that no vulnerable apps were written in:
> - cobol, rpg3, prolog, ada, scheme, lisp, pl/1, occam, modula-2, or MIX
But in the 1990s, Java was created.
Java applications exist.
Java servlets and applets also exist.
There have barely a *handful* of JRE/JVM security problems.
So the point of this is to say that new, modern, development
languages that are secure can be and are being developed and
used. That PHP is relatively new with respect to computing
and has so many security problems should be an embaressment
to its developers and users.
Or to put it another way, if there are so many security
problems with PHP then the PHP development model or use model
needs to be seriously reconsidered and redeveloped such that
it is immune to such security issues. This may, of course,
mean throwing away PHP and starting over (see C/C++ -> Java).
Oh, and btw, you forgot to mention fortran.
Darren
Powered by blists - more mailing lists