Monday, 18 January 2016 putting the "hack" back into journalism

I can't post this in response to the article in question as the website requires a Facebook login, one of which I do not have. Anyway, there's this exercise in journalistic cheapshottery (yes, I meant that to be an O not an I) "Program Languages That Generate Most Software Security Bugs". Specifically:

Similar findings from OWASP test results show that ColdFusion, PHP, and Classic ASP, in that order, are the worst languages when it comes to software security.

I'd usually leave it to Brad "CFDoberman" Wood to refute, but I'm undergoing a "slow start Monday" today, so I'll rise to it.

My response was gonna be as follows:

I'm not gonna dispute the raw stats, but I will dispute the analysis and the technical competence of the author, in the context of at least "ColdFusion" (the language is CFML, btw, not ColdFusion. That's like describing .Net as a language. Oh... you do that too. They're not languages).

But anyway, the chief failing on your part here is that CFML is implemented basically as a tag lib atop of Java (that's understating things somewhat, but for these purposes it's appropriate). It's a JVM language. Therefore it's incorrect to say that Java's security features are not available to a CFML application. They intrinsically *are* available. It's all baked in.

As for SQL injection prevention... the tools are there as well to prevent against them... one just needs to use them. Same with XSS (it's a single checkbox config option on the ColdFusion management server).

The problem is not the language or the platform: it's the developers. Most CFML developers are bloody useless. This stems from the fact CFML is very easy to program in, meaning the small niche of developers it attracts often times are just not very good at their jobs, because they don't need to be to be productive. I guess this is the language's "fault": it's too easy to use.

I'm far less au fait with PHP, but I know that SQL injection here is also the fault of the developer, not the language. The tools are all there... ppl are just bad at their jobs.

I can't speak for ASP.

On another tangent... taking cheap shots at ColdFusion as a source of security dismay seems a bit odd to me anyhow. It's such a niche product these days... what percentage of WWW volume does it account for? Even if 100% of sites running CF were vulnerable (which, obviously, they're not)... that would be probably equivalent risk as 1% of PHP sites, given the increased market slice of PHP over CFML. So where does the real-world risk lie then?

All in all, lazy uneducated journalism here. But I imagine your remit is more to get eyes on the page than to do well-considered analysis, or to understand what you're talking about.


I really shouldn't pay attention to this crap, as I don't want to encourage people going to the page, but... so be it.

If someone has a Facebook login (someone must), you could do me a favour and post this response in the comments (please attribute it to me, and cross ref back to this article)?

Righto. Back to things that are actually a good use of my time.