Posted by Michael Trausch on 04/03/06 16:20

Jerry Stuckle wrote:
>
> David,
>
> No, masking is false security.
>

Security through obscurity does not tend to work for very long periods
of time... Jerry is right. It is effectively giving you a false sense
of security in that you feel that you're eliminating information from an
attacker. There are many ways to find out if PHP is running on the
system or not, outside of your control as the application writer. It's
best to just follow the conventions that are out there for web content.
This will keep your application portable, as well as enable the coders
involved to know at a glance what language your modules are written in
when they look at them. If you use PHP, Perl, and Ruby in your
environment, file extensions are a good thing.

If you truly want security, then test your application against different
types of attacks that it can and likely will be subject to.

Check to ensure that you aren't using register_globals so that your
global namespace isn't tainted. Ensure that your application is not
subject to SQL injection attacks. Verify that you're able to spew lots
of garbage at it and get nothing valid back. Ensure that cookies can't
be crafted (if your application uses cookies) by an attacker. Be sure
that your application isn't vulnerable to replay attacks.

Those are some of the points of security that you need to watch out for,
that will heighten your level of safety in operating the application.
The job of keeping things secure, however, is almost never done;
somebody, somewhere, will find ways to get around things, and then you
have to circumvent them. Hopefully, before any compromise is made.

- Mike

[Back to original message]