Should enterprises avoid using PHP to develop applications? Some people think that PHP is too insecure compared to other options.
Whitehat Security (White Hat Security) recently released a study that uses automated tools to view 1700 web sites, check the number of security bugs, and build sitesProgramming LanguageWhether there is any association between them. The general conclusion is that no language is "the safest ". Studies show that some languages are indeed useful for structured writing and easy to manageCodeAnd some frameworks provide security control enabled by default. PHP may get worse because it is not only widely used, but also spammers use a lot of insecure PHP forms to send spam (via email injection ).
Even the most loyal PHP fans will agree that for an untrainedProgramFor example, it is easier to write Insecure code in a language like PHP. There are thousands of examples and tutorials on the Internet to explain how to use PHP to add a fancy feature to development applications, but most of them do not cover how to ensure the security of these features, this prevents applications from being vulnerable to attacks. Therefore, PHP applications with rich functions are generally not developed in a secure way.
Train your developers to write code with secure thinking, which is more important than the choice of language. CERT (Computer Emergency Response Team, Computer Emergency Response Team) found that vulnerabilities in most applications come from common programming errors that developers repeatedly make. By eliminating insecure coding and focusing on security coding training, your software developers can quickly reduce or eliminate the number of vulnerabilities until the software is finally launched. You can use many excellent and free resources and tutorials on the Internet to develop their (developer) skills in this field. One of the leaders in this field is the OWASP site (Open Web Application Security Project, Open Web Application Security Project), which provides many examples of how to secure coding.
The starting point of Cert secure coding is to establish secure coding standards for common programming languages and promote the best practices of secure coding. Another good resource that improves your developer's security coding skills is Microsoft's msdn SecurityCommunityAnd write security code. There are a lot of books written by Microsoft software security expert Michael Howard, among which you may be interested in: "Writing Secure Code (writing Secure Code) "," 24 critical faults of software security (24 deadly sins of software security) "and" The security development lifecycle )". Many topics can be applied to any programming language and help you understand how to encode with security thinking: that is, correctly Use security features and write code that can withstand attacks.
If you begin to integrate these resources and embed security into the entire application lifecycle, no matter which language you choose to use, I hope your next application will be more robust and able to withstand attacks.
Michael Cobb is a well-known security writer who has more than 10 years of experience in the IT industry and has 16 years of experience in the financial industry. He is the founder and managing director of cobweb applications. The company provides IT training and data security and analysis support. Michael has also co-authored the book IIS security and prepared for leading IT publications
The original Article is from [bi Internet]