This was incredibly enlightening, not because he was as surly and jaded as myself (as well as a phenomenal security Paranoid), but because he openly professed that PHP was a server side layout language. If you were doing more with it than just simply laying out pages, you were doing it wrong.
Of course, you’d be forgiven for laughing at that. If you have even passing familiarity with projects like WordPress, Cake or the countless projects on Github or Sourceforge that are PHP based. The problem is that PHP is surprisingly easy to program in. It’s exceptionally forgiving and has lots of capabilities that really lower the bar for new programmers. What that means is that folks who may not have years of experience or a firm understanding of the dangers to watch out for are trying to roll out very sophisticated applications.
There are loads of examples of this too. A perfect one is WordPress (yes, the very blog software i use right here). It’s gotten FAR better, but even here there are lots of security gotcha’s i tend to be concerned about. One very large one is that WordPress expects to be able to write to the directory it runs in. This is a HUGE “Not Happening” on any system i work on.
A well secured system runs any display server (that includes the web server) in a protected environment with limited privileges. On my system, the app server can read files. It will never be able to write, because when there’s an exploit in the software, Bad Guys can’t use it to alter files or execute scripts as me. This is how most sites fall, by the way.
So, how does all of this relate to the link bait title? Put simply, one of the biggest problems of PHP is that anyone can program in it. i don’t want to sound elitist, but imagine if you could build a free car out of parts someone gave you. A bit of fidgeting, a little swearing and you’ve got something that rolls down the road. Chances are REALLY good, though, that you’ve not built a high end race car with proper safety considerations and navigation systems. Those take skill and knowledge that you may not have yet. You can certainly acquire it, but it’s going to take time, experience, and learning from mistakes.
Same is true with software. It’s not hard to put together a simple program that does some fun things. It’s harder if you want other folks to use it. It’s harder still if you want to build something that, like your car, won’t actively try to kill you or anyone within 10 feet if you do something wrong.
PHP made the tools readily available and easy for folks with limited knowledge and skill to use. That’s a significant accomplishment, but it does mean that there’s a lot of code out there with no tests, no reviews and no support.
What’s worse is that, like the PHP stuff out there, there’s no way for folks to determine which libraries are “Safe” or not. Right now, folk often have no idea that many browser extensions are able to read and write to your disk or web pages directly, and have the ability to report those elsewhere. Libraries are like articles you read on the web. Sometimes the crazy is so deep it’s nearly impossible for you to spot it, when you bother to actually read it.
We old, cynical, battle hardened coders need to do a better job teaching young coders how to write stuff. Sites like Stack Exchange help, but even those tend to have less than beneficial suggestions. Partly due to the fact that writing for devices isn’t like writing web servers which isn’t like writing web-apps, which isn’t like writing databases, etc.
It’s also noteworthy that there’s a tremendous amount of broken things on the web. OpenSSL is a good example of this. Not because the underpaid and overworked devs are to blame, but because it’s hard to get folks excited about working on infrastructure. Honestly, while i appreciate the fact that OpenSLL is finally getting rebuilt from scratch, i can only hope that the new code is thoroughly audited and vetted.
And that it’s maintained and regularly updated.
So, maybe we need something that folks want to look for, like Goofus & Gallant for Coders, or Where’s Waldo’s Bug or something. Heck, maybe an Everything Wrong with This Code in 90 Seconds Youtube channel might work.
i help out a few friends that have websites. One of them grabbed a highly rated template for his blog. The template had a JS snippet at the bottom that collected a bunch of stats and did a remote execution. Mind you, there are lots of innocent reasons for something like that, but in essence it opened his site up for an easy XSS attacks. i’d wager that the folks that built that site consider themselves “experts”. How do we convince folks like that they still need education?
That’s the thing that i’m trying to get my head around.
And yes, i’m not going to propose a solution here. This is more a sketchpad for any future ideas i might have. Conversations are useful, even if they’re just with myself.