I think you're thinking a bit too highlevel, bro. The actual PHP interpreter is a piece of shit. It is horrendous, atrocious, and a whole bunch of other ous-es, except for delicous.
Even in a language-semantic perfectly secure PHP application, it's still being interpreted by the biggest pile of loosely written C code known to man. That means that your theoretical PHP level security falls on its ass with the quality of the actual PHP interpreter, because what would in theory be a safe and secure API on the PHP level can still turn out (and often does) to be a complete disaster on the C level. Therefor, everything PHP based is completely insecure. Love, Bas On Tue, Aug 20, 2013 at 08:15:53AM -0400, Justin C. Klein Keane wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello, > > I'm writing after listening to Loopcast 73 and hearing Dave say > "Everything PHP based is completely insecure" (min 30:18) in the > course of the interview. I had to rewind the podcast a couple of > times, sure that I'd misheard something. After a quick Tweet [1] I > got a number of responses and the suggestion that I e-mail the list. > The dubious wisdom of submitting my thoughts to a moderated list in > order to criticize the list's namesake isn't lost on me. I'm not > going to spend too much time on this e-mail in case it gets routed to > /dev/null. > > Stating that an entire programming language is secure, or insecure, > is overreaching to the point of useless generalization. If we > consider security to be a non-trivial property then it can't be > computed [2]. If we're making attestations that can't be proven > computationally then they're purely based on anecdote. While I'm sure > there are convincing anecdotes about insecure PHP programs, there are > also counter examples [3]. > > I think it's irresponsible to label an entire language insecure, > even one like PHP, which is the favorite whipping boy of the security > community. While it is accurate to say that PHP is an extremely > widespread, and easy to learn, programming language for producing > globally available always-on web applications, and that the popularity > and ease of PHP lend themselves to novice's producing insecure > applications in the language, it is not accurate to say that PHP > itself is insecure. PHP based applications suffer just as many > security flaws as any other application. Security, or lack thereof, > is derived in implementation. > > While we can make specific claims about security related attributes > of PHP, such as: PHP doesn't allow the programmer to make unchecked > memory assignments (i.e. no buffer overflows), we can't say that this > makes the language secure or insecure. It is just as easy to produce > an insecure web application in Java, or ASP.NET, [4] as it is in PHP. > Singling out an entire language for derision doesn't really advance > any conversation of purpose. > > I think if we want to make specific, actionable, recommendations > vis-a-vis PHP we can certainly say that any organization that deploys > an open source, PHP based, web application without performing a > rigorous code review for security flaws is trusting the security of > that application to third parties and that this is an unwise security > posture. If Immunity had a PHP based web forum compromise, and didn't > review the forum software before deploying it, the fault doesn't lie > in PHP, but with Immunity for not performing due diligence with > respect to the software. > > [1] https://twitter.com/madirish2600/statuses/369549381373923329 > [2] https://en.wikipedia.org/wiki/Rice%27s_theorem > [3] https://association.drupal.org/node/17438 > [4] https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project > > Cheers, > > > Justin C. Klein Keane, MA MCIT > Security Engineer > University of Pennsylvania, School of Arts & Sciences > > The digital signature on this message can be verified using the key at > https://sites.sas.upenn.edu/kleinkeane/pages/pgp-key > > On 08/19/2013 11:54 AM, Dave Aitel wrote: > > So if you are like me, you are amused by people who strategize on > > Cyber without looking at some of the weirder sides to the equation > > - i.e. copyright, drug law, funny cat videos, etc. In any case, if > > you can stand to hear me rant on and on about such things, the > > below loopcast goes into some of this stuff in a hopefully amusing > > way. Vanessa tells me it's quite annoying to listen to me talk > > about cyberwar for this long, but I sit behind her all day and so > > she's forced to hear me go on and on about funny cat videos on a > > regular basis. > > > > http://www.theloopcast.com/2013/08/16/episode-73-strategy-and-information-security/ > > > > Some of the other presentations I've done on this subject that are > > not really linked anywhere are here: > > http://prezi.com/zayyak66yyia/what-is-a-cyber-weapon/ (prezi) > > http://www.youtube.com/watch?v=GiV6am2lNTQ&feature=youtu.be (movie > > from RSA 2012) > > > > -dave > > > > > > <http://www.youtube.com/watch?v=GiV6am2lNTQ&feature=youtu.be> > > > > > > _______________________________________________ Dailydave mailing > > list [email protected] > > https://lists.immunityinc.com/mailman/listinfo/dailydave > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.14 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBAgAGBQJSE13zAAoJEIH7slQlJAgKLRsQAIQGtfmVRyzcCRQw+o7pc0xQ > vEhp4kX33CDckEwFSsDq1T30xC4fR5vVbDBE9jG0HF1sDlCpynLkDI00hpRm7DKj > cAhr17mTDBsdP2r9CC8Sp9gvK/50CQXNFafgoKYedqpYK2b4EfsuAkmTEZma9H35 > sroGRAXLs5gjM3V3//4yATfdMQELqCCF9iITfpdj9lx8YsdLCH1WdNmrq+bGmmdR > cYGphK0b4XDliHLUUKxRu4Jm3UQublN1HsXDQ2uu7vAiyo/2Cq7cRK/B6KTrasBX > +BRBga9KKC9uZNaYcVtdx1/SJ9lzcnNDfc8t7mmC5sf2JKxwXZ5OBQi/FSQck0EG > 6w+WkaNw5/ilgIKr5fFvIFlOnX1P2FGiCfyNwvpI9ZTn7Pp0gR4dZuYuz5kMweFf > ujRogCc6uMPpCx4sFFwTd/egtZ4oII314swk5DYUqoPSG+Kr5UEtIBMstVB2OP8G > XzC9drmceZth5aBBP0ryZlyw5iOPLTMJMCLz/Y/A8i6Jo+mA87OlRzkZtZvLKOpW > u00Cj4ctz4nWRfVyEQsIpEu7ZUvbkfCEf647y+dPhNvC7VnGToWfOffjuQoOql2N > vMuBEL3qY9We5fzNbxledzMisnef8fVW8KQ58d/wBHQGjcK7rvNDFE5Kdz1eXE+2 > KqtaN09PFC/vgmkHu5uo > =qEKp > -----END PGP SIGNATURE----- > _______________________________________________ > Dailydave mailing list > [email protected] > https://lists.immunityinc.com/mailman/listinfo/dailydave
signature.asc
Description: Digital signature
_______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
