[nycbug-talk] Searching for suspect PHP files...

Hans Zaunere lists at zaunere.com
Tue Mar 3 16:20:57 EST 2009


> > http://www.nyphp.org/content/presentations/
> >
> > Search for Coding secure
> >
> > There's also a corresponding article coming out in April that provides a
lot
> > more detail.
> 
> I don't want to speak for Miles here, but I think he meant that PHP is

Ok, but I'll respond to the below for now.

> flawed by design, and not asking "how to write secure code".  It is so

Bluntly, if you don't consider them going hand in hand, there's a much
bigger problem than PHP.  Is C flawed because someone doesn't know how to
check/prevent buffer overflows?  Is Unix flawed because root let's you wipe
out the hard disk?

> easy to exploit PHP bugs, that even Visual BASIC "idiots" can do it. It
> has been increasingly harder to secure HTTP, as most of the successful
> break-ins are done with the help of PHP.  And Miles remarked wisely

Look through the presentation.  The point is that it's not about the
language - there's the developer, and most importantly, HTTP, which, if
anything, is "flawed" from a security standpoint.  Please consider the
difference between HTTP and PHP.

> this trend has been going for years.

Web security?  PHP security?  Unfortunately, there hasn't been enough
attention to either, that's the point.

H






More information about the talk mailing list