PHP Security Expert Resigns 386
juct writes "PHP security holes have a name — quite often it was Stefan Esser who found and reported them. Now Esser has quit the PHP security team. He feels that his attempt to make PHP safer "from the inside" is futile. Basic security issues are not addressed sufficiently by the developers. Zeev Suraski, Zend's CTO of course disagrees and urges Stefan to work with the PHP development team instead of working against it. But given the number of remote code execution holes in PHP apps this year, Esser might have a point. And he plans to continue his quest for security holes in PHP. Only that from now on, he will publish them after reasonable time — regardless if a patch is available or not."
Update: 10/30 12:57 GMT by KD : Zeev Suraski wrote in to protest: "I'm quoted as if I 'point fingers at inexperienced developers,' and of course, there's no link to that — because it's not true! The two issues — security problems in Web apps written in PHP, and security problems in PHP itself — are two distinct issues. Nobody, including myself, is saying that there are no security problems in PHP — not unlike pretty much any other piece of software. Nobody, I think, argues the fact that there have been many more security problems at the application level, then there were at the language level. I never replied to Stefan's accusations of security problems in PHP saying 'that's bull, it's all the developers' fault,' and I have no intention to do it in the future."
YAY (Score:1, Funny)
GREAT IDEA!!!!
PHP Security Expert (Score:5, Funny)
Isn't that an oxymoron?
Re:Lemme guess... MySQL is also the best database? (Score:3, Funny)
I use a LAMP stack for the most part, many of the security holes in php aren't due to the language itself but the developers of the various webapps.
That being said, this requires a repost of the ol Adminspotting [adminspotting.org] thang.
Choose no life. Choose no career. Choose no family.
Choose a fucking big computer, choose disk arrays the
size of washing machines, modem racks, CD-ROM writers,
and electrical coffee makers. Choose no sleep, high
caffeine and mental insurance. Choose no friends.
Choose black jeans and matching combat boots. Choose
chairs for your office in a range of fucking fabrics.
Choose SMTP and wondering why the fuck you are logged
on on a sunday morning. Choose sitting in that swivel
chair looking at mind-numbing, spirit-crushing web sites,
stuffing fucking junk food into your mouth. Choose
rotting away at the end of it all, pishing your last in
some miserable newsgroup, nothing more than an
embarassment to the selfish, fucked up lusers Gates
spawned to replace the computer-literate.
Choose your future.
Choose to sysadmin.
Open source is the issue (Score:3, Funny)
XSS by default (Score:5, Funny)
Re:As a PHP user.... (Score:4, Funny)
Shenanigans! (Score:5, Funny)
I call shenanigans! No way was PHP 'designed'!
If he returns to the PHP after discussions (Score:4, Funny)
Apologies to Douglas R. Hofstadter
If PGP... (Score:4, Funny)
Re:Question from a .NET developer trying to go OSS (Score:3, Funny)
Re:PHP Security Expert (Score:3, Funny)
I know exactly nothing about PHP...
... I take the utmost care over security and this was the first ever breakin.
Would you call blindly installing a server side scripting language of which you know nothing 'taking utmost care over security'?
Re:Question from a .NET developer trying to go OSS (Score:3, Funny)
The only Rails guy I see routinely mouthing off is DHH. Most of his invective (that I've read) is aimed at Java, though, which is a mitigating factor. J2EE is easy to bash because you'll be right most of the time.