[nycphp-talk] "The Web is broken and it's all your fault."
michael
lists at genoverly.net
Thu Sep 14 08:37:20 EDT 2006
http://www.internetnews.com/dev-news/article.php/3631831
"
Those are the words that Rasmus Lerdorf, the creator of PHP,
said to kick off his keynote at the php|works conference under
way here.
...
"The Web is pretty much broken, we can all go home now,"
Lerdorf said somewhat sarcastically to the capacity crowd.
"Luckily most people don't realize that it's broken."
Part of the reason Lerdorf considers the Web "broken" is that
it is inherently insecure for a variety of reasons. One of those
reasons sits at the feet of developers.
"You don't know that you have to filter user input," Lerdorf
exclaimed.
"
Everybody is preaching security (gurus on this list included). So, why
hasn't it caught fire? Here's my quick-list..
1. it is easy to ignore it and the app still works in your test
environment.. and you didn't waste valuable time auditting!
(tongue in cheek) "Despite your Herculean timetable, Mr.
Client, the app is ready. Now I'm going to have to bill you
extra hours to do a security audit and documentation."
"umm.. no thanks, Mr. Developer. I don't have the budget for
your bill padding".
2. php is easy to use and popular; low adoption barriers.
a. newbies haven't been burned yet or don't know best practices
b. popularity brings the dark side for low hanging fruit
c. terms like 'x-site scripting' and 'db injection' are
confusing buzzwords to the newly introduced and (despite
efforts) are not defined well enough; besides,
buzzwords get ignored anyway.
d. "eewww.. that can/will not happen to me"
3. it isn't preached enough
--
Michael
More information about the talk
mailing list