Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: LAMP vs Microsoft
From: Bob Beck <beck () bofh cns ualberta ca>
Date: Wed, 12 Jul 2006 08:58:05 -0600


    The simple fact is most of the MS/PHP/JAVA web development will be
being done by code monkeys, fresh out of school..

You're confusing what I'm interested in (platform security) with
the people who use the platform to develop on top of.  If the
foundations of what you're using are insecure, then the web
developer has a harder task.

        I don't think the platform matters all that much if people are
writing code and deploying code without security as a goal. While a
particular platform may make it more difficult for a certain type of
attack to occur (i.e. it's harder to have traditional buffer overflow
attacks in something like OpenBSD or Java) The avenue of attacks for
web applicatons is broad enough, particularly when the browser and
ease-of-use-assisted social engineering is involved that the platform
is going to be moot compared to basic application design and
deployment issues.  Heck, lots of banks do clear text redirects from
http://www.bigassedbank.com/ to https://www.bigassedbank.com/, and
then have idiots using them from coffee shops.  That's much more
fundamental than the sorts of things like html goo, sql insertion,
browser bugs, etc. etc. etc.

        I think the focus on "choice of platform" merely distracts attention
from the design of the entire application and what the end to end
impacts are. I know I've been given the "It's written in Java it's
secure" line of horse apples from people selling an application that
couldn't even do ssl connections to ldap and smtp, and insisted on
doing them in the clear. See? the choice of platform in this case is
moot - design and implementation without security in mind is the
problem. 

        -Bob
 



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault