RE: [OWASP-GUIDE] Question concerning usage of languages for webapps

["Imperva Application Defense Center" <adc () imperva com>]

Chris,

At no point I was trying to be biased towards commerical web
applications. I have a long happy history with open source and linux
from many years ago, and I totally agree that PHP is an important
language that shold be covered as well. 

However, when performing a risk analysis, you always must weight the
potential damage. Application hackers care less about hacking the
*application* of a .org content site, than they care about breaking into
a bank, or tampering with an ecommerce site. The majority of application
layer attacks to not focus in taking over the server (some do, but they
are the minority). The majority of application layer attacks go to the
business logic. To hijack user accounts of other users. To meddle with
the business logic of the appplication, to steal information. All these
attacks pose a much greater risk to commercial applications (And XSS,
which you have mentioned, does not normally compromise the target
machine. It compromises the information that is transferred between the
target machine and the web site, which again, is usually not very
critical in non commercial applications). 

With all that said, I do not dismiss PHP in any way. I think it's a
great language, and I have written some sites using it myself. PHP
should definitley be included in the OWASP guide, but, in my humble
opinion, it should not be its main focus. My main concern with the
published statistics was the fact that PHP got a much higher ranking
than any other language.

Ofer.

-----Original Message-----
From: Chris Todd [mailto:chris () christophertodd com] 
Sent: Monday, May 17, 2004 3:46 AM
To: webappsec () securityfocus com
Subject: RE: [OWASP-GUIDE] Question concerning usage of languages for
webapps


Ofer,

While the statistics you cite regarding the distribution of programming
languages in commercial web apps are probably accurate (they certainly
jive with my experience), I have to admit that I find your bias towards
commercial web apps troubling.

OWASP does not exist solely to improve the security of commercial web
applications, it exists to improve the security of *ALL* web
applications, and in that respect PHP is *way* more important than
ASP/ASP.NET/.NET/Java, because there are thousands of PHP applications
out there that desperately need to be improved, and there are many more
PHP-enabled apache web servers than there are IIS servers (see
Netcraft).

Anyone who cares about the security of the Internet as a whole
understands that we need to teach as many people as possible how to
write secure web apps, because every insecure web app, wherever it may
be on the Internet, and whatever language it is written in, is a
possible attack vector against our systems.  Every cross site scripting
attack that can be used to compromise a client machine, every SQL
injection attack that can reveal sensitive data, every web server that
gets rooted because of an insecure PHP/Perl/C CGI script, is another
platform for launching attacks.

While it may sound like a pipe dream to some, I honestly believe that
OWASP can make a contribution to the overall security of the Internet by
removing the low-hanging fruit hackers use to compromise web apps.
Teach web app developers to do just a few things differently, to be just
a little paranoid, to validate all input, and the hackers have to work a
lot harder. Anything that makes hackers' lives more difficult is a Good
Thing(TM) in my book.

Therefore, in my opinion (for however many cents it's worth), PHP should
be the number one language the Guide focuses on.  Of course, it should
include coverage of Java, the MS technologies, and probably also Perl,
but PHP should receive it's strongest and deepest focus, because that's
where the Guide can make the greatest impact.

Regards,
Chris

-----Original Message-----
From: Imperva Application Defense Center [mailto:adc () imperva com] 
Sent: Sunday, May 16, 2004 8:05 AM
To: Adrian Wiesmann; webappsec () securityfocus com
Subject: RE: [OWASP-GUIDE] Question concerning usage of languages for
webapps


Dear List,

I have to say I find the results troublingm, as they are very
open-source oriented, rather than real-world industry oriented. 

Our company has performed several hundred PT's in the last few years.
Only very few were PHP (less than 5). I agree you may find many PHP
sites online, but the majority of these sites are free or small sites.
Most commercial organizations that run business applications do not use
PHP, but rather one of the commercial infrastructures. Same reference
goes to perl. Perl has lost most of its popularity in real world web
applications. It can still be seen often, again, in non commercial
sites, yet it is not as widely used as it was used 5-7 years ago, when
CGI's were the main stream of web applcations. 

On the other hand, I find the low ranking of ASP applications very
surprising. This is, of course, an old technology, which is slowly being
replaced with ASP.Net, yet is still widely used (and probably still used
a lot more than ASP.Net). Therefore, although new applications written
from scratch are likely to be written in ASP.Net, there is a lot of code
that is still being written in ASP, as part of existing applications,
which makes it, in my opinion, probably the most important or second
most important infrastructure. 

It is my belief that such as document should refer to what's mostly used
in the industry, and therefore put the two main commercial technologies
(mainly ASP/ASP.Net and Java/JSP) as the top priority. As for other
content infrastructure, such as ColdFusion, Vignette, DB-Specific
environments, etc
- There are so many of them, that I think there should be general
guidelines, which shold be written clear enough so that developers will
be able to deduct from them about the specific technology in use.

Sincerely,

Ofer Maor
Application Defense Center Manager
Imperva(tm) Inc.
http://www.imperva.com/adc/


-----Original Message-----
From: Adrian Wiesmann [mailto:awiesmann () swordlord org] 
Sent: Friday, May 14, 2004 7:59 PM
To: webappsec () securityfocus com
Subject: Re: [OWASP-GUIDE] Question concerning usage of languages for
webapps


Hello list

Thank you for your help concerning my question about web application
languages usage. Please note that I neither counted the total sum of
replies nor is the list below in any way representative. I only use it
to decide on which language to cover in the OWASP Guide v2.

Here are the results in one simple list. The numbers below the language
names represent the number of time the language was mentioned (so one
user could mention multiple languages, but every language only one
time). One speciality is the ASP.NET line. The number left of the equals
sign is the total number of mentionings and the numbers on the right
define which languages are used within the .NET framework. This means
that one developer can use both c# and vb.net. (But this counts only
once.)

PHP
14

Java/JSP
10

Perl
9
(one person said perl for backend purposes and php for frontend)

ASP.NET (undefined/C#/VB.NET)
9 = 5 / 3 / 2

ASP
5

Python
3

PL/SQL
2

TSQL
2

ColdFusion
1

Sybase PowerScript
1

TCL
1

C
1

Delphi
1

JavaScript
1

The interpretation of the result is yours :)

Thanks again for your help,
Adrian