26th August, 2008
Thanks to Ivo Jansch, I spotted Matt Assay mentioning in his article on cnet that PHP headlines in IBM’s list of most vulnerable software and I have to say this is complete balderdash on the part of IBM.
He quotes from the report:
Another commonality between these three vendors is that they are all written in PHP. If we look back over last year’s disclosures and apply the new CPE methodology to them, we would uncover another newcomer to the top five list, PHP itself, which would rank number four in the 2007 top five vendor list.
What are featuring in IBM’s top ten of vulnerable that makes the report insinuate that the PHP language is a security risk are Jooma, WordPress and Drupal. How PHP would feature in a list of “vendors” is beside the point – if a construction company were to build a house where the windows don’t close fully, the security alarm doesn’t work and where bare wires are exposed you don’t “blame” the windows, alarm system and cabling. The responsibility rests with the construction company and/or the individual contractors hired by that company. Similarly, we can’t “blame” PHP for bad software architecture and security risks present in Joomla, WordPress or Drupal – the onus is on the software developers and architects to design secure [web] applications.
They should, at the least, ensure input data is of the expected type, of certain values; handle uploaded files in a secure and cautious manner that they don’t overwrite files crucial to the health/security of the system running the application or the application itself; use an audit trail for checking against attacks, ensure security in depth against SQL injections, Cross Site Vulnerabilities, Command Injection and … I could go on but won’t – search for php security best practices, get the Zend PHP 5 Certification Study Guide, check out the library resource at the PHP Security Consortium.
Now where’s ruby, cobol, C, and z80A assembly language on that list? And why is Linux mentioned there as a vendor?
Posted at 12:47 pm | Comment (0)