Fact : PHP or .NET are not secure by default. Its IT person’s skill to secure those.
Said by “CTO of an IT product company”
“The sole reason we chose PHP over .Net is because PHP is most secure and yet free. We run a tool against the code occasionally and it never reports absolutely any security problem. So obviously our application does not need vulnerability assessment.”
Myth Debunked With The Fact Below
PHP or .NET or Java or any other programming platform is not secure by default. Those are just programming languages. There are 2 elements pertaining to the platform which need to be made secure. First being the web servers running the platform. Web server hardening is very important to fine tune security settings. For example, it is needed to be tuned to accept a file upload of certain size from browser side. If not done so, that may result into a maliciously uploaded large file causing web server to fail.
The second and important element is the programming that needs to be carefully performed by the software developer. Most of the developers do not know the secure coding practices. This is important to remove the possible vulnerabilities such as cross site scripting, CSRF, SQL injection etc.
Now as you can imagine, all above applies equally well to all the programming platforms. It does not matter whether it is PHP or .NET or Java or node.js etc. It boils down to the best secure programming practices, and hardening of the server that would be hosting the application code. At the same time it is true that each programming language provides different or better bells and whistles to let a developer do a better job. For example, PHP has built-in methods to filter out user’s inputs or parse strings to remove malicious characters. While the .NET and Java platforms provide great ways to handle HTTP sessions. Still, it is the developer’s job to understand these functions and use those properly and flawlessly in their code, to make the whole picture secure.
Senior management must update their knowledge about information security. They must open their minds up about compliances such as ISO27001 , as well as the vulnerability assessment penetration testing (VAPT) which is imperative for their corporate networks , web and cloud applications and also the mobile applications. Right approach for companies, is to find a best cyber security vendor company or a top of the class information security consulting partner, and improve their organization’s data security via threat modelling and various other apt approaches. Additional practices such as security code review services are also highly recommended.
#cybersecurity #mythbusters #myths #ethicalhacking #datasecurity #ciso #cio #cisos