[HLUG] archiving software

Mark Broadbent markb at wetlettuce.com
Sat Jan 5 20:33:26 GMT 2008 

Julian Robbins wrote:
> Mark Broadbent wrote:
>> On 05/01/2008, Alex Mace <alex at hollytree.co.uk> wrote:
>>> Ahem, to my mind something being written in Python does not make it
>>> more secure than something PHP, it's down to the programmer to
>>> remember to properly filter input, encode output rather than the
>>> language itself. PHP is an easy language to pick up which means that
>>> you get a lot of programmers who don't know what they are doing. The
>>> language itself is not a measure of security.
>>
>> I would completely agree with that, no language I know of will protect
>> you from things like cross-site scripting and SQL injection attacks.
>> It's all down the the programmer at the end of the day.  I remember
>> reading a few months ago about a university that had produced an app
>> that could check you're PHP code and tell the user where
>> untrusted/external data was being being passed to db functions or
>> output to the end user.  It only supports PHP 4 though which was a bit
>> of a stumbling block for me.
> 
> All true, but I do agree with Richard that PHP web scripts do seem to 
> show more security vulnerabilities than python based ones.
> 
> Have a look at secunia.com for Plone and Joomla (an example of a well 
> known well crafted PHP web CMS).
> 
> Plone :- 3 security vulnerabilities, from 2003 -2008 
> http://secunia.com/product/9334/?task=statistics
> Joomla :- 12 security vulnerabilities from 2003 - 2008 
> http://secunia.com/product/5788/?task=statistics
> 
> (Both have been around since ~2005, (although Plone 3 (not shown above 
> was released in Late 2007).

I'm wary of using number of vulns to describe how secure/insecure a
piece of software is, this could lead someone to believe that either:

a. The developers of Joomla are much better at finding and reporting
vulns that exist in their software.  This may imply that Joomla is more
secure than Plone.
b. The developers of Plone are better at writing secure code which means
that less vulns will be discovered.    This then would imply that Plone
is more secure the Joomla.

I think the only way you could compare the two is to have the same set
of developers writing the same software using different languages.

I don't think language choice is an issue here at all.  The reason (I
suspect) we see more PHP based vulns is that:

a. PHP has much greater usage that Python so will show up more often.
b. Less experienced programmers will tend to use PHP as PHP is available
on nearly every web hosting account.

> I know this isn't very representative, but I do believe that PHP coded 
> sites do seem to be a bit more prone to security issues.. and the info 
> above does tend to bear this out. 4 times more vulnerabilities for 
> Joomla (PHP) than Plone (Python).
> 
> Just for interest, I also checked out Zope, the application 
> server/database that Plone runs on (also written in Python); 5 issues 
> since 2004. not bad at all. For interest, MySQL4, had 21 vulnerabilities 
> (!), in a similar period. MySql isnt written in PHP I know, but it 
> demonstrates that a Joomla/MySQL server combination against a Plone/Zope 
> web server one had 33 against 8 vulnerabilities, quite a big difference 
> I think.

Just remember that Firefox has more reported vulns than Internet
Explorer, however this does not mean IE is more secure.  There are other
metrics that need to be addressed such as responsiveness to fixing and
severity of the flaw.

Cheers
Mark

-- 
Mark Broadbent <markb at wetlettuce.com>
Herefordshire LUG Master

Web: www.wetlettuce.com
LUG: www.herefordshire.lug.org.uk

More information about the Herefordshire mailing list