[nycbug-talk] Searching for suspect PHP files...
Hans Zaunere
lists at zaunere.com
Tue Mar 3 16:20:57 EST 2009
> > http://www.nyphp.org/content/presentations/
> >
> > Search for Coding secure
> >
> > There's also a corresponding article coming out in April that provides a
lot
> > more detail.
>
> I don't want to speak for Miles here, but I think he meant that PHP is
Ok, but I'll respond to the below for now.
> flawed by design, and not asking "how to write secure code". It is so
Bluntly, if you don't consider them going hand in hand, there's a much
bigger problem than PHP. Is C flawed because someone doesn't know how to
check/prevent buffer overflows? Is Unix flawed because root let's you wipe
out the hard disk?
> easy to exploit PHP bugs, that even Visual BASIC "idiots" can do it. It
> has been increasingly harder to secure HTTP, as most of the successful
> break-ins are done with the help of PHP. And Miles remarked wisely
Look through the presentation. The point is that it's not about the
language - there's the developer, and most importantly, HTTP, which, if
anything, is "flawed" from a security standpoint. Please consider the
difference between HTTP and PHP.
> this trend has been going for years.
Web security? PHP security? Unfortunately, there hasn't been enough
attention to either, that's the point.
H
More information about the talk
mailing list