mailing list archives
Re: LAMP vs Microsoft
From: Joel Maslak <jmaslak () antelope net>
Date: Mon, 10 Jul 2006 19:37:42 -0600
On Jul 10, 2006, at 11:50 AM, Bob Beck wrote:
Yes, but what are you hoping to prove with those numbers. I think all
you're demonstrating is what things get more attention, likely due to
their popularity, so they make a more interesting target. I.E. just
because you don't find hardly any vulnerabilities for web apps
deployed using ANFC (ANFC == AIX, NetCat, Flat Files, and C (please
sir can I have another..)) doens't mean those that are aren't rife
I have seen far too many Perl/PHP/ASP/ASP.NET/whatever apps that
can't figure out how to do really simple stuff like quote special
characters before passing things to a database (or, better yet, using
stored procedures and your web language's built in parameterized SQL
exec functions - but that'll start a different religious war).
If you are defending against the next Internet Worm, then these
numbers may matter. But if you are defending against data being
compromised, the architecture of your system is much more important.
In fact, I've pretty much reduced website auditing to a single
question (yes, it really is more complicated than this, but most
sites fail on just this one, regardless of platform):
True/False: Someone who becomes an administrator on your public-
facing web server can read all the data in your database?
If you answer "true" then you've already failed. Regardless of Linux
or Windows usage. Does it matter if you have less bugs if it only
takes one bug to compromise your entire architecture?
 Yes, I have seen an ANFC used for real 
 Yes, it had a hole.
I've seen very few custom web apps that *don't* have a hole.
Re: LAMP vs Microsoft Joel Maslak (Jul 16)
Re: LAMP vs Microsoft Steven M. Christey (Jul 12)