|
|
Posted by Carl on 02/02/07 22:16
On Feb 2, 10:46 am, himilecycl...@yahoo.com wrote:
> My State government organization has written a PHP/MySQL application
> which has been in production for about 6 months and has been highly
> successful.
>
> We are now embarking on a similar database application, but one with
> much higher security concerns (birth data). Prior to beginning the
> project, we met with an oversight committee who strongly advised
> against PHP and suggested Java. Their concern was that PHP could not
> be trusted to handle the security of the data adequately.
>
> My team have become fairly adept PHP programmers, but we know little
> about security and other technical issues. None of us are familiar
> with Java, and due to time constraints, we are very reluctant to make
> such a drastic switch.
>
> I have done some brief reading regarding PHP security and it looks
> like a lot of steps can be taken to increase the security level.
>
> Unfortunately, there appers to be quite a bias against PHP in our
> organization, which will be responsible for hosting the application.
> We will definitely be fighting an uphill battle, and are concerned
> that even if we are able to stay with PHP, if there are future
> security problems, we will really be in a bad position for having
> stayed with it.
>
> Any thoughts regarding this issue would be greatly appreciated. Is
> Java inherently much more secure than PHP? If my team of 3 PHP
> programmers were to make the switch to Java, about which we know
> nothing, how much time would that add to the development of a mid-
> sized application (realizing that that is a very general question)?
>
> Many thanks!
Hello,
I'll mostly ignore the question regarding a migration to Java besides
these two thoughts:
- The comparison between security in Java and PHP is not a simple one,
and posting this question in only comp.lang.php is sure to give you
biased responses. Should you really want to pursue this topic, I
would, at the minimum, suggest you also post a question to a java
group (comp.lang.java.programmer perhaps?); if for no other reason to
see the other "side of the coin". I would imagine that posters there
may be more in touch with Java security features, seeing as how many
of them depend on this.
- Writing a secure, well written web applications in Java is no small
feat for a team with little or no Java experience. Not knowing your
project time-line & budget constraints I cannot comment on how
feasible this is for your situation.
That said, before setting off to promote and defend your php
application, since you mention you will be hosting this application,
you should learn in great detail the intricacies of securing web
applications. Auditing your code for PHP security best practices, as
mentioned in other posts in this thread, is essential, but only the
start. Remember that writing secure code does not by itself make an
application secure. Reading and following all PHP security advisories
is also essential, as well as ensuring that the web server and
database installations are secure and up to date. Should the data be
compromised through a webserver/database vulnerability, neither Java
or PHP could have saved you, but the security of your implementation
will have failed. Again avoiding the issue of whether PHP of Java is
more secure, It is currently possible to write a reasonably secure PHP
application. You are indeed fighting an uphill battle as early
versions of PHP, and the abundance of poorly written PHP scripts out
in the wild have given PHP a bad name in security conscious circles.
Hope that helps,
Carl.
Navigation:
[Reply to this message]
|