Not Again!

Well, looks like the programming religious wars are back on at Slashdot. This is so utterly painful to read so let me paraphrase.

Stefan: "Dude, I quit...I don't feel my security role as a PHP Insider is doing any good"

Zeev: "I see it different, you are quitting for other reasons."

Slash Community: "Isn't PHP Security Expert an Oxymoron"
Slash Community: "Java is better"
Slash Community: "No, C# is better"
Slash Community: "Rails is better"

First, notice the Slashdot community quickly gets off the subject which was really nothing more than a note that Stefan Esser was giving up his security post in the PHP project. What really irritates me – and one of the points Zeev was trying to make – is PHP’s position as it relates to security has more to do with applications being written insecurely using PHP as opposed to PHP itself being insecure. As a person who hires developers, I look for sound coding principles like input filtering, escaping output, knowledge of preventing SQL injection. This is something that needs to be the foundation for any developer regardless of language. Java, .NET, Ruby, etc are not immune to this which is something lost in the coke-versus-pepsi argument that the thread has turned to. Something also lost in all this is the sheer popularity of PHP. Say what you want but PHP is very popular and because it has been adopted by so many organizations and open source projects it is going to be perceived as being less secure because of the sheer number of available PHP applications. Perception is often reality but not here. Please don’t confuse PHP security with PHP application security.

Our shop has PHP, Java and .NET developers working side-by-side and I can say that from a security standpoint the platform has had nothing to do with how secure the resulting application is. It has to do with the frameworks we have in place that attempt to force developers to code securely and it has to do with the fact that our developers are accountable for ensuring the security of their code by following security best-practices. We are not perfect but we have it front-of-mind and we are trying to improve our SDLC to include specific processes for improving our security. That’s all an organization can do, that’s all an open source project can do.

And it has nothing to do with the language. For those who try to make this a religious war (yes, including some of you PHP developers)…shame on you.