Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: [OWASP-GUIDE] Question concerning usage of languages for webapps

RE: [OWASP-GUIDE] Question concerning usage of languages for webapps

From: Ralf Durkee <rd_at_rd1.net>
Date: Mon, 17 May 2004 08:29:53 -0400

At 02:05 PM 5/16/2004 +0200, Ofer wrote:

In reply to Ofer's comments:

>Dear List,
>
>Our company has performed several hundred PT's in the last few years.
>Only very few were PHP (less than 5). I agree you may find many PHP
>sites online, but the majority of these sites are free or small sites.

I find plenty of business using PHP when performing Security audits, and I
agree that they tend to be small to medium size applications. I think
you'll find the size of the application is more of a determination than the
business size, as large corporations also have plenty of small applications
as well. Although my experience includes dozens rather than hundreds of web
apps, it does include small applications as well as large applications in
corporate data centers. You may find that the nature of your business tends
to draw on mainly the large application customer.

>Most commercial organizations that run business applications do not use
>PHP, but rather one of the commercial infrastructures. Same reference
>goes to perl.

For one, the majority of the Internet market and economy are made up of
small to medium size businesses. And I think it's also safe to say that the
major of the commercial applications are also small to medium size
applications. The statement about PHP not being used by commercial
organizations is just plan false, there's a lot of it out there. I also
find Perl used at both extremes of the complexity scale from the small and
simple to some of the largest and most complex web applications.

>Perl has lost most of its popularity in real world web
>applications. It can still be seen often, again, in non commercial
>sites, yet it is not as widely used as it was used 5-7 years ago, when
>CGI's were the main stream of web applcations.

I agree that Perl is not the denominate (percentage wise) CGI that it once
was, but it is widely used in commercial applications.

>On the other hand, I find the low ranking of ASP applications very
>surprising.

Yes I agree, there is a lot of IIS/ASP out there from small to large
applications.

-- Ralf Durkee, CISSP, GSEC, GCIH
Durkee Consulting, Inc.
Principal Consultant
http://rd1.net
Received on May 17 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos