> > The simple fact is most of the MS/PHP/JAVA web development will be > > being done by code monkeys, fresh out of school.. > > You're confusing what I'm interested in (platform security) with > the people who use the platform to develop on top of. If the > foundations of what you're using are insecure, then the web > developer has a harder task. > I don't think the platform matters all that much if people are writing code and deploying code without security as a goal. While a particular platform may make it more difficult for a certain type of attack to occur (i.e. it's harder to have traditional buffer overflow attacks in something like OpenBSD or Java) The avenue of attacks for web applicatons is broad enough, particularly when the browser and ease-of-use-assisted social engineering is involved that the platform is going to be moot compared to basic application design and deployment issues. Heck, lots of banks do clear text redirects from http://www.bigassedbank.com/ to https://www.bigassedbank.com/, and then have idiots using them from coffee shops. That's much more fundamental than the sorts of things like html goo, sql insertion, browser bugs, etc. etc. etc. I think the focus on "choice of platform" merely distracts attention from the design of the entire application and what the end to end impacts are. I know I've been given the "It's written in Java it's secure" line of horse apples from people selling an application that couldn't even do ssl connections to ldap and smtp, and insisted on doing them in the clear. See? the choice of platform in this case is moot - design and implementation without security in mind is the problem. -Bob
