mailing list archives
RE: [OWASP-GUIDE] Question concerning usage of languages for webapps
From: Ralf Durkee <rd () rd1 net>
Date: Mon, 17 May 2004 08:29:53 -0400
At 02:05 PM 5/16/2004 +0200, Ofer wrote:
In reply to Ofer's comments:
Our company has performed several hundred PT's in the last few years.
Only very few were PHP (less than 5). I agree you may find many PHP
sites online, but the majority of these sites are free or small sites.
I find plenty of business using PHP when performing Security audits, and I
agree that they tend to be small to medium size applications. I think
you'll find the size of the application is more of a determination than the
business size, as large corporations also have plenty of small applications
as well. Although my experience includes dozens rather than hundreds of web
apps, it does include small applications as well as large applications in
corporate data centers. You may find that the nature of your business tends
to draw on mainly the large application customer.
Most commercial organizations that run business applications do not use
PHP, but rather one of the commercial infrastructures. Same reference
goes to perl.
For one, the majority of the Internet market and economy are made up of
small to medium size businesses. And I think it's also safe to say that the
major of the commercial applications are also small to medium size
applications. The statement about PHP not being used by commercial
organizations is just plan false, there's a lot of it out there. I also
find Perl used at both extremes of the complexity scale from the small and
simple to some of the largest and most complex web applications.
Perl has lost most of its popularity in real world web
applications. It can still be seen often, again, in non commercial
sites, yet it is not as widely used as it was used 5-7 years ago, when
CGI's were the main stream of web applcations.
I agree that Perl is not the denominate (percentage wise) CGI that it once
was, but it is widely used in commercial applications.
On the other hand, I find the low ranking of ASP applications very
Yes I agree, there is a lot of IIS/ASP out there from small to large
-- Ralf Durkee, CISSP, GSEC, GCIH
Durkee Consulting, Inc.
- RE: [OWASP-GUIDE] Question concerning usage of languages for webapps Ralf Durkee (May 17)