> Well then we better start having web hosting companies who support ASP, > Perl, CGI etc. be pointed out to the public so that when selecting a web > host they know that they might be being put into an extreme risk situation. Yes that's exactly the point, the risks for each should be pointed out. Is there anyone here who follows the security lists that doesn't see a risk level difference between say asp and php? Whether it's caused by the number of insecure applications available, the amount of knowledge about a particular platform, the amount of time being spent checking for exploits, the number of people using those extentions, whatever, there is certainly a difference in the risk factor of having one set of extensions over another available on public web servers (or private for that matter). How would you evaluate the risk level between two hosting services one which offers only asp or perl and one which offers a two page checklist of extensions? How about just asp compared to dot net, do you not see the difference even without evaluating every piece of downloadable code written for each? Microsoft claims dot net is more secure (they claim everything new is more secure than their last version) and the security community sits by without comment. What we need is a rating system, a risk level assesment of each of the server side extensions available based on how powerful they are, how easy or difficult it is to write bad code, how often they require patching or the apps written for them require patching, how often each are being used to exploit servers, etc. We need some sort of a rating system that allows the users to see the difference and to understand that more doesn't always mean better. Geo.
