lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200606242242.k5OMgdUI029955@caligula.anu.edu.au>
Date: Sun, 25 Jun 2006 08:42:39 +1000 (Australia/ACT)
From: Darren Reed <avalon@...igula.anu.edu.au>
To: jmullee@...oo.com
Cc: bugtraq@...urityfocus.com
Subject: Re: PHP security (or the lack thereof)


In some mail from john mullee, sie said:
> 
> --- Darren Reed <avalon@...igula.anu.edu.au> wrote:
> > From my own mail archives, PHP appears to make up at least 4%
> > of the email to bugtraq I see - or over 1000 issues since 1995,
> > out of the 25,000 I have saved.
> > 
> > People complain about applications like sendmail...in the same
> > period, it has been resopnsible for less than 200.
> > 
> > Do we have a new contender for worst security offender ever
> > written ?
> 
> I guess most of the remaining offending apps were written in C: as much as 96% ?!!
> (including basically all of microsoft's stuff!!)
> 
> Surely the least secure language of all time !!!
> 
> Note also that no vulnerable apps were written in:
>  - cobol, rpg3, prolog, ada, scheme, lisp, pl/1, occam, modula-2, or MIX

But in the 1990s, Java was created.

Java applications exist.

Java servlets and applets also exist.

There have barely a *handful* of JRE/JVM security problems.

So the point of this is to say that new, modern, development
languages that are secure can be and are being developed and
used.  That PHP is relatively new with respect to computing
and has so many security problems should be an embaressment
to its developers and users.

Or to put it another way, if there are so many security
problems with PHP then the PHP development model or use model
needs to be seriously reconsidered and redeveloped such that
it is immune to such security issues.  This may, of course,
mean throwing away PHP and starting over (see C/C++ -> Java).

Oh, and btw, you forgot to mention fortran.

Darren


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ