NYCPHP Meetup

[jonbaer at jonbaer.net]

Here is my beleif ... the best way to accomplish good programming practice is 
to first, think like a hacker, some of the best books to read @ any programming 
language level are those spooky ones, know your enemy, etc, etc, etc ...

The reason for this is extremely important, you want to get to know what a 
hacker will get out of your application ... for example the classic 
man-in-the-middle attack of someone on the network eavesdropping ... if you 
write a PHP app for SOAP<->SOAP communication and it works along the network 
*but* has sensative info, you should run apps to capture this data and view it 
for yourself.  It took almost a year of reading security books to understand 
the implications of non-secure programming design.  

Chris's CSRF opens a whole new level for myself (not sure about others) on bad 
code which Ive written that I had to go back and explore, however if I would 
have taken the time to understand it in the beginning I would have been better 
off.  

Also, 8 out of 10 people I know use pre-packaged software with the same exact 
table information,layout,design,etc as the original.  Think about it, if 
someone hacks and figures out something malicious on one package, it leaves 
everything else open and to myself this is the #1 item which has given PHP a 
bad name because if everyone is going to use PHP-Nuke the same way then you are 
open to bad stuff.  

Anyways, PHP is a learning experience that should emphasis security first and 
foremost, it should be the 1st chapter in every book but unfortunatley its not.  
For example if CSRF/XSS was covered *first* and mandated in every PHP book to 
be there (like a generic thing) vs. just a blurb or cute warning box, it would 
really help the language and its learning programmers.

- Jon

> This is a great suggestion, and I've given this advice in the past myself,
> but I think we might want to mention a few examples. Let's be honest - 99%
> of open source applications written in PHP exhibit awful design, poor
> programming practices, and blatant disregard to security. I'm afraid that
> people will "learn PHP" by hacking on something like phpBB, unless we
> point them in the right direction.

-- 
pgp key: http://www.jonbaer.net/jonbaer.asc
fingerprint: F438 A47E C45E 8B27 F68C 1F9B 41DB DB8B 9A0C AF47
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20040630/e4369fad/attachment.sig>