[PLUG] Preventing Probes Like This
Tim
tim-pdxlug at sentinelchicken.org
Mon Aug 25 20:13:00 UTC 2008
Hello Ed,
> Security has nothing to do with the language or the framework.
I beg to differ.
How often do you see a Java application that's vulnerable to SQL
injection via a numeric field? How often do you see a similar PHP
application be vulnerable to injection via a numeric field? I'm sure
those numbers would differ, for the sole reason that Java is strictly
typed, and PHP isn't. By nature, programmers will most often cast that
input parameter to an Integer in Java, just because that's the most
logical thing to do.
Strictly typed languages have their drawbacks, but this is just meant to
illustrate that language does matter when it comes to the security of
*typical, real-world* applications.
How often do you see Python applications vulnerable to remote file
include vulnerabilities? How often with PHP? Yeah... PHP basically
invented that class of vulnerability. Complete and utter foolishness on
the PHP developers' part, but now we're stuck with it.
When it comes to real-world applications, the platform does matter
because most programmers suck.
> It's
> something you have to design in from the ground floor and test
> rigorously and constantly.
Yes.
Regardless of the platform and language, you can always shoot yourself
in the foot. I'm frequently amazed by how much work some programmers
will put into making their apps insecure. Design security into your
apps, and test, test, test.
cheers,
tim
More information about the PLUG
mailing list