[nycphp-talk] "The Web is broken and it's all your fault."

Hans Zaunere lists at
Fri Sep 15 09:04:06 EDT 2006

> 	Part of the reason Lerdorf considers the Web "broken" is that
> 	it is inherently insecure for a variety of reasons. One of those
> 	reasons sits at the feet of developers.

Pardon my bluntness, but if we follow that reasoning then the entire
internet is hopelessly broken and insecure.  If email wasn't broken and
insecure, we wouldn't have spam.

While I agree with Rasmus that it's the responsibility of developers to
ensure they write good code - one facet of which is being security concsious
- this isn't an epiphany by any means.  Everything in the history of
computers have been plaguaed by these issues.  PHP is no different.

> Everybody is preaching security (gurus on this list included).  So,
> why hasn't it caught fire?  Here's my quick-list..

I think it has.  Public perception is different from what's going on in
large deployments, which too is changing.  Judging the quality of a language
and it's developers on certain popular pieces of PHP software, isn't viewing
the whole picture.

> 1. it is easy to ignore it and the app still works in your test
> 	environment.. and you didn't waste valuable time auditting!
> 	(tongue in cheek)  "Despite your Herculean timetable,  Mr.
> 	Client, the app is ready.  Now I'm going to have to bill you
> 	extra hours to do a security audit and documentation."
> 	"umm.. no thanks, Mr. Developer.  I don't have the budget for
> 	your bill padding".
> 2. php is easy to use and popular; low adoption barriers.
> 	a. newbies haven't been burned yet or don't know best practices
> 	b. popularity brings the dark side for low hanging fruit
> 	c. terms like 'x-site scripting' and 'db injection' are
> 		confusing buzzwords to the newly introduced and (despite
> 		efforts) are not defined well enough; besides,
> 		buzzwords get ignored anyway.
> 	d. "eewww.. that can/will not happen to me"

Number 2 is the real issue in my opinion.  The biggest problem is the low
adoption barriers.  When I've seen PHP code from developers that know
another language, it's generally good - just like code in any other language
from a good developer - it's good.

PHP also unfortunately suffers from the Microsoft effect - writing an
exploit that would affect millions of web sites/applications makes you a
much better script kiddie than writing one that only affects a dozen.

> 3. it isn't preached enough

I don't think that's the problem :)

Hans Zaunere / President / New York PHP  /

More information about the talk mailing list