| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <44B2904C.4000807@novell.com>
Date: Mon, 10 Jul 2006 10:37:16 -0700
From: Crispin Cowan <crispin@...ell.com>
To: Gezim Hoxha <gezimetc@...w.ca>
Cc: "Geo." <geoincidents@....net>, bugtraq@...urityfocus.com
Subject: Re: Securing PHP or finding PHP alternatives
Gezim Hoxha wrote:
> With all that's been said in this thread, and all that has been observed
> (i.e. a large number of PHP vulnerabilities--please don't try and defend
> this; the common thing that everyone agrees on is that PHP tries to
> cater to all users (not necessarily programmers, which can make it
> insecure), I'm going to ask two questions:
>
> 1.) If I have to write PHP, how do I write secure PHP? Give me a number
> of ensures that I can follow and check-mark each and live a happy
> life--for the most part.
>
Program defensively:
* validate all inputs
o use a white-list, not a black-list
* check all parameters
* check all return/error codes
* handle all exceptions
Test your system:
* check for SQL injection vulnerabilities
* check for XSS
Wrap it in AppArmor http://en.opensuse.org/AppArmor for when you screw
up ^W^W don't do all the above perfectly.
> 2.) From a security standpoint what is a better, open-source replacement
> to PHP?
>
Ruby, Python, Java, C#, all of which are type safe, and therefore much
more secure. All have open source implementations, including C#
http://www.mono-project.com/Main_Page
Crispin
--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
Director of Software Engineering, Novell http://novell.com
Necessity is the mother of invention ... except for pure math
Powered by blists - more mailing lists