<<< Date Index >>>     <<< Thread Index >>>

Re: LAMP vs Microsoft



On Jul 10, 2006, at 11:50 AM, Bob Beck wrote:

        Yes, but what are you hoping to prove with those numbers. I think all
you're demonstrating is what things get more attention, likely due to
their popularity, so they make a more interesting target.  I.E.  just
because you don't find hardly any vulnerabilities for web apps
deployed using ANFC (ANFC == AIX, NetCat, Flat Files, and C (please
sir can I have another..)[1]) doens't mean those that are aren't rife
with them.

Exactly.

I have seen far too many Perl/PHP/ASP/ASP.NET/whatever apps that can't figure out how to do really simple stuff like quote special characters before passing things to a database (or, better yet, using stored procedures and your web language's built in parameterized SQL exec functions - but that'll start a different religious war).

If you are defending against the next Internet Worm, then these numbers may matter. But if you are defending against data being compromised, the architecture of your system is much more important.

In fact, I've pretty much reduced website auditing to a single question (yes, it really is more complicated than this, but most sites fail on just this one, regardless of platform):

True/False: Someone who becomes an administrator on your public- facing web server can read all the data in your database?

If you answer "true" then you've already failed. Regardless of Linux or Windows usage. Does it matter if you have less bugs if it only takes one bug to compromise your entire architecture?


[1] Yes, I have seen an ANFC used for real [2]
[2] Yes, it had a hole.


I've seen very few custom web apps that *don't* have a hole.