[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20060712145805.GC21586@bofh.cns.ualberta.ca>
Date: Wed, 12 Jul 2006 08:58:05 -0600
From: Bob Beck <beck@...h.cns.ualberta.ca>
To: Darren Reed <avalon@...igula.anu.edu.au>
Cc: Bob Beck <beck@...h.cns.ualberta.ca>, bugtraq@...urityfocus.com
Subject: Re: LAMP vs Microsoft
> > The simple fact is most of the MS/PHP/JAVA web development will be
> > being done by code monkeys, fresh out of school..
>
> You're confusing what I'm interested in (platform security) with
> the people who use the platform to develop on top of. If the
> foundations of what you're using are insecure, then the web
> developer has a harder task.
>
I don't think the platform matters all that much if people are
writing code and deploying code without security as a goal. While a
particular platform may make it more difficult for a certain type of
attack to occur (i.e. it's harder to have traditional buffer overflow
attacks in something like OpenBSD or Java) The avenue of attacks for
web applicatons is broad enough, particularly when the browser and
ease-of-use-assisted social engineering is involved that the platform
is going to be moot compared to basic application design and
deployment issues. Heck, lots of banks do clear text redirects from
http://www.bigassedbank.com/ to https://www.bigassedbank.com/, and
then have idiots using them from coffee shops. That's much more
fundamental than the sorts of things like html goo, sql insertion,
browser bugs, etc. etc. etc.
I think the focus on "choice of platform" merely distracts attention
from the design of the entire application and what the end to end
impacts are. I know I've been given the "It's written in Java it's
secure" line of horse apples from people selling an application that
couldn't even do ssl connections to ldap and smtp, and insisted on
doing them in the clear. See? the choice of platform in this case is
moot - design and implementation without security in mind is the
problem.
-Bob
Powered by blists - more mailing lists