Results 1 to 31 of 31
  1. #1
    Join Date
    Jul 2003
    Location
    NYC
    Posts
    245

    What is the most secure language to use for web apps?

    Hi guys,

    What is the most secured or can be secured - language that can be used to develop a web application for adult paid membership based website? The backbone database is to be kept on MySQL. What do you think of using Ruby or PHP? Or is PERL a better choice when it comes to security? It is to be designed to utilize template-toolkit perhaps and MVC along with catalyst...

    Please give me your inputs.

    regards,
    DPNY
    ---|| Avurt Inc. - ||---
    www.avurt.com
    Banners, Prints, Graphics, Web sites & Much more

  2. #2
    Join Date
    Sep 2004
    Location
    Flint, Michigan
    Posts
    5,765
    Really all the languages you listed are "secure" by default, it's the application that you write that will make the application secure or unsecure.
    Mike from Zoodia.com
    Professional web design and development services.
    In need of a fresh hosting design? See what premade designs we have in stock!
    Web design tips, tricks, and more at MichaelPruitt.com

  3. #3
    Join Date
    Aug 2001
    Location
    Central USA
    Posts
    200
    The language itself isn't "secure" or not, it's how you code and build the application that determines whether or not it will be secure.
    InvoiceMore - Online Billing & Invoicing
    phpDataMapper - Object-Oriented PHP5 Data Mapper ORM

  4. #4
    Join Date
    Dec 2007
    Location
    Michigan
    Posts
    286
    Straight html and static files is pretty secure

    They're right, it's more the programmer than the language that matters when it comes to security.
    Nexcess - Magento and Wordpress Hosting Specialists!

  5. #5
    I'm in your server netcat-ing your TCP-IP.

    seriously though - there are a lot more things to consider when looking at security than just a programming language. Like - how do you move files there? How are permissions set up? How do you access your database? Who has physical access to the server? Who has remote access? updates? backups? injection?.....

  6. #6
    Join Date
    Jul 2003
    Location
    NYC
    Posts
    245
    Ahhh! Thanks for the great inputs. Server itself, disable all FTP access, STOP all un-needed services... only the needed one. Run mySQL only and do the site in PHP and use mod-rewrite to fool everyone by removing the extensions (SEO friendly) so no one knows your platform and secure it using login system that detects IP and Browser and stores session on database and if detected changes each time will LOGOUT the user and so forth...

    Any input? Still have to watch out for "netcat-ers"?
    ---|| Avurt Inc. - ||---
    www.avurt.com
    Banners, Prints, Graphics, Web sites & Much more

  7. #7
    Join Date
    Jun 2003
    Location
    Scotland
    Posts
    298
    think its down to how the application is coded compared to the actual language.

    Liam

  8. #8
    Join Date
    Jun 2005
    Posts
    531
    Quote Originally Posted by dpny View Post
    ...using login system that detects IP and Browser and stores session on database...
    That won't work for AOL and similar services, because multiple users have the same IP when they hit the 'net. You may want to use cookies or add the [encrypted] session key to the URLs so that you're able to keep each user unique.

  9. #9
    Join Date
    Jun 2005
    Posts
    531
    Quote Originally Posted by Czaries View Post
    The language itself isn't "secure" or not, it's how you code and build the application that determines whether or not it will be secure.
    I'm not sure I'd completely agree with that.

    For example, in PHP versions 4.2.0 and 4.2.1 there was a vulnerability that allowed an intruder to execute arbitrary code with the privileges of the web server and, under certain conditions, to gain privileged access. (The vulnerability was acknowledged by the PHP developers.)

    Ruby isn't necessarily better, as there was an exploit that allowed one to execute arbitrary code and bypass the safe levels. (Also ack'd by the developers.)

    That's why we only use compiled languages, in which case I'd agree that coding practices determine security.

  10. #10
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,842
    Sure, there have been vulnerabilities found in most languages over the years but they're usually exploitable only under certain conditions (eg. the developer happens to use a vulnerable function on user-supplied data). Equally, there have been exploits found in other internet-connected applications (look at the current speculation about ProFTPd and Courier).

    But hundreds or thousands of times more common are exploitable applications, (eg. SQL injections, remote file includes, XSS) which are simply due to bad coding, most often lack of input validation or echoing user input back to the page. Using a compiled language won't protect you from bad code.

    That said, I do believe some languages are inherently more secure than others. PHP's historical support of register_globals and peculiar need to allow file functions to work identically on remote urls made it easy for beginners to write exploitable programs. Conversely perl with taint mode turned on is quite fanatical about preventing unsafe operations on user-supplied data. Ultimately, of course, you can still write safe or unsafe applications in either...
    Chris

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

  11. #11
    Join Date
    Aug 2001
    Location
    Central USA
    Posts
    200

    Exclamation It's still the programmer...

    Quote Originally Posted by Domainitor View Post
    I'm not sure I'd completely agree with that.

    For example, in PHP versions 4.2.0 and 4.2.1 there was a vulnerability that allowed an intruder to execute arbitrary code with the privileges of the web server and, under certain conditions, to gain privileged access. (The vulnerability was acknowledged by the PHP developers.)

    Ruby isn't necessarily better, as there was an exploit that allowed one to execute arbitrary code and bypass the safe levels. (Also ack'd by the developers.)

    That's why we only use compiled languages, in which case I'd agree that coding practices determine security.
    There will always be security vulnerabilities found in almost every piece of software ever written. Most of the time, the "under certain conditions" part of that statement refers to a way the application was programmed in the first place, which allowed the vulnerability to be used - most often associated with un-sanitized user input that has been directly passed into some core function like eval() or exec(). This is the programmer's fault, not the language's. If your code is done right the first time, 99.9% of the time these vulnerabilities will have no effect on you at all. In those 0.01% times, you simply upgrade to the new version.

    And on a side note, I stopped using PHP4 3 years ago. When a new version of software like this has been out for more than 3 years, it's already long past time to upgrade and move on. That being said, I do think that some languages are more mature than others. I don't think PHP really became fully "mature" until the PHP 5.1 stable release.

    The compiled language vs. interpreted language doesn't really matter at all, because the application behaves the way the programmer told it to, compiled or not - the functions still run the same way. Don't think that just because your language is compiled, it's inherently safer. That is a very dangerous assumption to make.

    The difference the programming language makes is that some languages do a better job of preventing the programmer from shooting themselves in the foot than others.
    InvoiceMore - Online Billing & Invoicing
    phpDataMapper - Object-Oriented PHP5 Data Mapper ORM

  12. #12
    Join Date
    Jun 2005
    Posts
    531
    Quote Originally Posted by Czaries View Post
    The compiled language vs. interpreted language doesn't really matter at all, because the application behaves the way the programmer told it to, compiled or not - the functions still run the same way. Don't think that just because your language is compiled, it's inherently safer. That is a very dangerous assumption to make.

    The difference the programming language makes is that some languages do a better job of preventing the programmer from shooting themselves in the foot than others.
    We clearly have a difference of opinion here....

    I should first point out that when I say "compiled language" I'm not referring to "compiling" an interpreted language. For many efficiency-related reasons we don't use any interpreted [scripting] languages like PERL, PHP, etc. When I say "compiled language" I'm referring to languages like C.

    There are still vulnerabilities in contemporary versions of PHP; see, for example, this Debian.org Security Advisory. I just can't agree that a program written in C is as vulnerable as a script written in PHP or similar languages. I'm presuming in both cases (program vs. script) that the coder is experienced and follows fairly standard guidelines regarding secure/reasonable code.

    We're close on the shooting in the foot: I'd say that some languages make more facilities available to help the programmer avoid common pitfalls, which is good for the current crop of hacks. (No offense meant here; if you're not schooled, you're a hack. It's only derogatory if you choose take it that way; it's not meant in a negative or derogatory fashion.)

    But given a choice of a scripting language or a compiled language, I'll take the compiled language every day of the week.

  13. #13
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,842
    Compilation can certainly affect efficiency but really it has nothing to do with security. Perl and PHP are also compiled - immediately before execution. Do you really think it matters when the compilation is done?

    But since you bring up C, the major difference between C and modern, higher-level languages is automated memory management and garbage collection. C allows programmers to write directly to memory locations, so mistakes like permitting a buffer overflow can have disastrous (and exploitable) consequences.

    The only reason for a C program to be more secure than one written in a modern scripting language would be a more experienced / expert programmer.

    Edit: Isn't PHP actually written in C? So all these PHP vulnerabilities you're linking to are actually examples of an insecure C program...
    Last edited by foobic; 01-30-2008 at 06:34 PM.
    Chris

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

  14. #14
    Join Date
    Jun 2005
    Posts
    531
    Quote Originally Posted by foobic View Post
    Compilation can certainly affect efficiency but really it has nothing to do with security. Perl and PHP are also compiled - immediately before execution. Do you really think it matters when the compilation is done?
    No, I don't. Because they're not really compiled. They're converted to bytecode.

    Quote Originally Posted by foobic View Post
    But since you bring up C, the major difference between C and modern, higher-level languages is automated memory management and garbage collection.
    Well, sorta.... We've had garbage collectors for decades. Remember Lisp?

    Quote Originally Posted by foobic View Post
    C allows programmers to write directly to memory locations, so mistakes like permitting a buffer overflow can have disastrous (and exploitable) consequences.

    The only reason for a C program to be more secure than one written in a modern scripting language would be a more experienced / expert programmer.

    Edit: Isn't PHP actually written in C? So all these PHP vulnerabilities you're linking to are actually examples of an insecure C program...
    Hence my comment about hacks: if you don't know what you're doing, you shouldn't be doing it. At least not where it can have a negative effect on some else or their business.

    In the last thirty+ years I've written operating systems, interpreters, and compilers; I'm hopeful that I fall in your "more experienced/expert programmer" category.

    And that there are defects in the Zend engine doesn't prove anything either way.

    My point is simply that using a true compiled language is inherently more secure if for no other reason than the experienced programmer being able to craft a program to the level of their abilities rather than relying on algorithms implemented by persons who may be of lesser skill.

  15. #15
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,842
    So if I understand you right what you're saying is:
    1. using C filters out the "hacks" leaving only the most highly skilled programmers
    2. these elite programmers are so good that they write better, more secure code than the "lesser skilled" developers of Zend/PHP, perl, python etc.

    I can't say I find either point very plausible but accepting them for a moment, why stop at C? Get everything written directly in machine-code - that'll sort the men from the boys!
    Chris

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

  16. #16
    Join Date
    Nov 2004
    Location
    Tega Cay
    Posts
    763
    Quote Originally Posted by dpny View Post
    Hi guys,

    What is the most secured or can be secured - language...
    Latin, I don't think many hackers these days speak Latin. Yep, it gets my vote.

  17. #17
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,842
    Quote Originally Posted by Squorpeeon View Post
    Latin, I don't think many hackers these days speak Latin. Yep, it gets my vote.
    Tsk, don't you know that's security by obscurity?!
    Chris

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

  18. #18
    Join Date
    Jun 2005
    Posts
    531
    Quote Originally Posted by foobic View Post
    So if I understand you right what you're saying is:
    1. using C filters out the "hacks" leaving only the most highly skilled programmers
    2. these elite programmers are so good that they write better, more secure code than the "lesser skilled" developers of Zend/PHP, perl, python etc.

    I can't say I find either point very plausible but accepting them for a moment, why stop at C? Get everything written directly in machine-code - that'll sort the men from the boys!
    Actually, that's not really what I'm saying. Anyone can code in any language, but I find compiled languages to be intrinsically more secure. And I find that there are more inexperienced programmers using interpreters than not. Which puts your second point out the window....

    Having programmed in machine code it's rather tedious, but when speed is critical it makes the most sense. Most of the time assembly will suffice, though.

  19. #19
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,842
    Let's try it again with some quotes and bold:
    Quote Originally Posted by Domainitor View Post
    My point is simply that using a true compiled language is inherently more secure if for no other reason than the experienced programmer being able to craft a program to the level of their abilities rather than relying on algorithms implemented by persons who may be of lesser skill.
    I read that as:
    These elite C programmers are so good that they write better, more secure code than the lesser skilled developers who have created Zend/PHP, perl, python etc. (written originally in C) and produced the many useful algorithms that users of these languages rely on.

    If not, what did you mean?

    BTW, you still haven't explained how (apart from the undoubted brilliance of the programmers who use it ) a language like C with no memory management can be "intrinsically more secure".
    Chris

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

  20. #20
    Join Date
    Jun 2005
    Posts
    531
    Read that however you like. I meant it precisely as I wrote it, not as you're twisting it.

    Have I touched a nerve? Why are you so combative?

    And why do you think interpreters with garbage collectors are the be all, end all? I wasn't aware that I needed to explain why managing your own memory is A Good Idea.... If you don't understand it now, far be it from me to school you.

  21. #21
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,842
    Quote Originally Posted by Domainitor View Post
    Have I touched a nerve? Why are you so combative?
    No, it's just that when someone who apparently knows something about the subject makes statements that seem to me quite wrong, I try to dig deeper to learn what I'm missing. However I don't think this debate's going anywhere useful and I'm sure it's not helping the OP so I'll bow out now.
    Chris

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

  22. #22
    Join Date
    Aug 2005
    Location
    UK
    Posts
    654
    Quote Originally Posted by Domainitor View Post
    I'm not sure I'd completely agree with that.

    For example, in PHP versions 4.2.0 and 4.2.1 there was a vulnerability that allowed an intruder to execute arbitrary code with the privileges of the web server and, under certain conditions, to gain privileged access. (The vulnerability was acknowledged by the PHP developers.)

    Ruby isn't necessarily better, as there was an exploit that allowed one to execute arbitrary code and bypass the safe levels. (Also ack'd by the developers.)

    That's why we only use compiled languages, in which case I'd agree that coding practices determine security.
    Compiled languages are in no way necessarily securer than interpreted languages. As people have already been saying, it's a LOT more to do with the programming of the application itself and the configuration of it's environment.

    Few exmaples from the big two in compiled runtimes, just as damning as the PHP and Ruby exploits.

  23. #23
    Join Date
    Sep 2006
    Location
    Brum, UK
    Posts
    46
    Quick question I've been wondering about recently, can C / C++ / "compiled languages" even be used for web apps? Any examples?

    Even is they could aren't web based languages like PHP / Perl / whatever alot more effect at being er....web based? When was the last time you saw a forum coded in anything other then PHP/ASP/Perl? Yes they may have insecurities but you need to have a trade off between security and effciency imo...

    Regards

  24. #24
    Join Date
    Aug 2005
    Location
    UK
    Posts
    654
    There are C/C++ toolkits and frameworks to make CGI apps.

    When I first started working on server side CGI applications it was with the Netscape HTTPd, and using CGI routines I wrote my self in C. Trust me when I say it is any thing but "rapid".

    There are other compiled languages that can be used.

    Basicly any language that can read data in from a UNIX STDIN and output to STDOUT, and check the $ENV variable space can be used to program a CGI script.

  25. #25
    Join Date
    Jun 2005
    Posts
    531
    Quote Originally Posted by Xeentech View Post
    Compiled languages are in no way necessarily securer than interpreted languages. As people have already been saying, it's a LOT more to do with the programming of the application itself and the configuration of it's environment.

    Few exmaples from the big two in compiled runtimes, just as damning as the PHP and Ruby exploits.
    Right. And as I said:

    Quote Originally Posted by Domainitor View Post
    That's why we only use compiled languages, in which case I'd agree that coding practices determine security.
    When you say
    Quote Originally Posted by Xeentech View Post
    Trust me when I say it is any thing but "rapid".
    you're referring to the development time, right?

  26. #26
    Join Date
    Jun 2005
    Posts
    531
    Quote Originally Posted by Jonaid View Post
    Quick question I've been wondering about recently, can C / C++ / "compiled languages" even be used for web apps? Any examples?

    Even is they could aren't web based languages like PHP / Perl / whatever alot more effect at being er....web based? When was the last time you saw a forum coded in anything other then PHP/ASP/Perl? Yes they may have insecurities but you need to have a trade off between security and effciency imo...

    Regards
    I guess, then, it depends on where you want your efficiency and what you're willing to trade for it. I'm willing to spend time crafting C because at runtime I know it'll be faster than a scripting language. I s'pose I could be "more efficient" cranking out PHP or Python or PERL, but I need the speed at runtime, not during development.

  27. #27
    Join Date
    Aug 2001
    Location
    Central USA
    Posts
    200
    This sounds like it's becoming a flame war... Let's just all stop with the point we already all stated and agree on: The security is determined most by the programmer, not the language. Continued debate is not really helping the OP at all.
    InvoiceMore - Online Billing & Invoicing
    phpDataMapper - Object-Oriented PHP5 Data Mapper ORM

  28. #28
    I'm sorry - maybe you'd classify me as a hack (I have worked on many enterprise level, mission critical, yada-yada) but I would NEVER suggest someone write their web application in C. Don't get me wrong - I love C. Highly optimized and well structured C programs can be a near work of art. But the return you would get on time spent in this day and age for a web app would be an instant no go for any project manager with even the slightest bit of common sense.

  29. #29
    Join Date
    Jun 2005
    Posts
    531
    Quote Originally Posted by nnormal View Post
    I'm sorry - maybe you'd classify me as a hack (I have worked on many enterprise level, mission critical, yada-yada) but I would NEVER suggest someone write their web application in C. Don't get me wrong - I love C. Highly optimized and well structured C programs can be a near work of art. But the return you would get on time spent in this day and age for a web app would be an instant no go for any project manager with even the slightest bit of common sense.
    Then I guess we're lacking common sense. And our customers, too.

    Seriously, though, for the types of web apps we write, interpreters don't make sense. We build fast, scalable, distributable systems designed for very heavy loads. And while hardware is cheap, simply throwing hardware at the problem doesn't cut it.

  30. #30
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,687
    The language itself is always going to be hacked, updated, etc. This is why it's imperative to keep these languages (perl, php, etc) up to date on your server, because usually updates will include vulnerability fixes, etc.

    From a personal standpoint, I find php more secure than anything else, because the output is a lot more easily manipulated. Of course, that comes from a C based programmer of 10 years (before I even touched php), so it could be that I just find myself a bit more @ home with the php environment.
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

  31. #31

    Catalyst and PostgreSQL

    Quote Originally Posted by dpny View Post
    Hi guys,
    The backbone database is to be kept on MySQL.
    Go to secunia.com and search for security issues with MySQL (422) vs. PostgreSQL (155). Note that MySQL 5.x currently has an unpatched "moderately critical" vulnerability. If that's not enough reason to consider PostgreSQL, see the comparisons I linked at del (dot) icio.us/dandvd/PostgreSQL+MySQL
    (stupid anti-noob rule doesn't let me use URLs)
    Quote Originally Posted by dpny View Post
    What do you think of using Ruby or PHP? Or is PERL a better choice when it comes to security? It is to be designed to utilize template-toolkit perhaps and MVC along with catalyst...
    Good choice on Catalyst.

    Quote Originally Posted by dpny View Post
    regards,
    DPNY
    If the latter 2 letters of your nickname mean "New York", we can pretty much guess what the first two mean, given that you're looking for advice on building and adult paid site...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •