lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20060711151633.GB14077@bofh.cns.ualberta.ca>
Date: Tue, 11 Jul 2006 09:16:33 -0600
From: Bob Beck <beck@...h.cns.ualberta.ca>
To: Darren Reed <avalon@...igula.anu.edu.au>
Cc: Bob Beck <beck@...h.cns.ualberta.ca>, bugtraq@...urityfocus.com
Subject: Re: LAMP vs Microsoft


> And I think vulnerabilities disclosed are a much better indicator
> of the changes to QA/development of products than any hyperbole
> from those responsible (be it management or developers.)

	No, I think vulnerabilities disclosed is simply a measure of how much
development and deployment is happening on the platform. period. 

> I fully expect that both the Microsoft and Linux based platforms to
> continue to be the most popular for web deployments and thus the most
> interesting for hackers to target and vulnerabilities to be found.
> 
> What would concern me more here is if one platform was on the up
> whilst the other was on the down.

	This will always be the case as one platform changes in popularity
for deployments relative to another. 

	The simple fact is most of the MS/PHP/JAVA web development will be
being done by code monkeys, fresh out of school.. I'm pretty certain
they will "inbug" the same average number of bugs per line of code
they write no matter what platform it is. Development is often
outsourced to an external coding haus, written to a spec, without
complete info about what the whole final application is going to do.
Frequently they don't even reuse "mature" code from past releases
because you don't want to release it to the external people, or you're
too busy chasing platform-du-jour (Want a great example of this? I'm
betting Sun One, going from version 5 to version 6 is a good one)

	-Bob
 

	

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ