Hi, A few issues I have with the list, though for the most part I personally agree (without going into details of why, which would help explain, but mean little)... I do not agree that PHP is more insecure because of poor coding and the ease of writing insecure programs. That is 100% true of any and all languages. If you mean something specific like the interface and the PHP interpreter itself can more easily open security issues due to coding over other interpreted languages, that I could agree with more.
PHP had problems and it's more than a simple matter of poor coders and allowing for people to more easily code insecure scripts. That's just a fact of any language and lack of skills and/or understanding by the coder. The issues with PHP that I agree with, are the underlying functions and interface, where the module and CGI binaries both have a long history of bugs and security issues. That, for one, is not the case with many of the other languages ,and it's very frequent--enough to be on this list in my opinion, though others may (and will) disagree, I'm sure. As for BIND and OpenSSH (someone else mentioned), I don't recall a large number of problems, but just the fact that there were enough *very large* exploits that made them voodoo to use. Maybe I'm wrong, I haven't used them for a long time (though I do use BIND all the time due to work, but never Sendmail anymore). I've not seen any BIND (major issues anyway) for a while (not long enough though). So far, the above mentioned PHP hasn't suffered from that fate, so things could be worse. The rest are services and protocols or likely legitimately complained about programs, for the most part--though I don't have time nor desire to get into all that right now. Someone recently posted a pretty accurate and detailed summary of all the variables involved (without the mention of one program), and that's probably about as precise as it gets, though not really outlining the actual programs--which was (originally?) the point and topic (I thought). -- Regards, Tim Greer [EMAIL PROTECTED] Server administration, security, programming, consulting. ----- Original Message ----- From: "Chris Berry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, July 03, 2003 1:42 PM Subject: RE: Ten least secure programs > >From: "Nero, Nick" <[EMAIL PROTECTED]> > >Hmmm, some interesting omissions in your Microsoft-laden list are: > > I'd hardly call is Microsoft laden when only 2 out of ten were MS products. > > >Apache (holes are found monthly) > > True, but still about half those found in IIS so probably the better choice. > > >JVM (Sun just patched something like 2600 bugs) > > I'm not worried about bugs, just vulnerabilities, and for that securityfocus > lists ZERO, so I'm not too stressed about it. > > Here's an updated list, only need to decide on one more. (not in order) > > Microsoft Outlook & Outlook Express - Pretty much just all bad when used for > email > Telnet - When used for remote control, use SSH instead for all but a few > testing uses > Sendmail - Monolithic and too much root, use qmail or postfix instead > IIS Server - Constant updating required, really bad defaults > Wireless networking - Unless you're incredibly paranoid, though 802.1x looks > promising > PHP - Mostly due to poor coding and the ease of writing insecure programs > R services (rsh, rcp, rlogin) - Just too darn old, use SSH instead > ActiveX - Mostly because of the apps associated with it rather than the > protocol itself > BIND - Really bad history of problems, monolithic, too much root, use djbdns > instead > ???? - Still looking for one more > > Chris Berry > [EMAIL PROTECTED] > Systems Administrator > JM Associates > > "Encrypt everything, and ask questions later." > > _________________________________________________________________ > MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. > http://join.msn.com/?page=features/virus > > > -------------------------------------------------------------------------- - > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! > The Gartner Group just put Neoteris in the top of its Magic Quadrant, > while InStat has confirmed Neoteris as the leader in marketshare. > > Find out why, and see how you can get plug-n-play secure remote access in > about an hour, with no client, server changes, or ongoing maintenance. > > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm > -------------------------------------------------------------------------- -- > --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
