<<< Date Index >>>     <<< Thread Index >>>

Re: PHP security (or the lack thereof)



> Well then we better start having web hosting companies who support ASP,
> Perl, CGI etc. be pointed out to the public so that when selecting a web
> host they know that they might be being put into an extreme risk
situation.

Yes that's exactly the point, the risks for each should be pointed out.

Is there anyone here who follows the security lists that doesn't see a risk
level difference between say asp and php? Whether it's caused by the number
of insecure applications available, the amount of knowledge about a
particular platform, the amount of time being spent checking for exploits,
the number of people using those extentions, whatever, there is certainly a
difference in the risk factor of having one set of extensions over another
available on public web servers (or private for that matter).

How would you evaluate the risk level between two hosting services one which
offers only asp or perl and one which offers a two page checklist of
extensions? How about just asp compared to dot net, do you not see the
difference even without evaluating every piece of downloadable code written
for each? Microsoft claims dot net is more secure (they claim everything new
is more secure than their last version) and the security community sits by
without comment.

What we need is a rating system, a risk level assesment of each of the
server side extensions available based on how powerful they are, how easy or
difficult it is to write bad code, how often they require patching or the
apps written for them require patching, how often each are being used to
exploit servers, etc.

We need some sort of a rating system that allows the users to see the
difference and to understand that more doesn't always mean better.

Geo.