the insecure nature

Posted on by

I saw in Ben Ramsey’s blog the link to the eWeek’s “100 Most Influential People in IT” list and this:

60. Stefan Esser
Security researcher
Esser’s “Month of PHP Bugs” project thoroughly exposed the insecure nature of the widely deployed PHP language and forced a rethink of security in the open-source world.

I think Stefan Esser is doing great work by helping make PHP more secure, and so I join the congratulations for being in the list. I don’t really know what 60 means – is half as influential as #30 (Brendan Eich, Mozilla’s CTO) and 1/4 of that of the number 15, Linus Torvalds himself – or they just had to order it because otherwise it is hard to comprehend – but I guess any place in the 100 is great.

What drew my attention, however, is the wording of the description. Namely “thoroughly exposed the insecure nature of the widely deployed PHP language” and “forced a rethink of security in the open-source world“. MOPB was very useful in making PHP better, however I do not see how reporting a bunch of vulnerabilities (most of them fixed by the time of publication – for which thanks to Stefan Esser as the responsible reporter) is “thoroughly exposing the insecure nature of PHP”. Bugs and bug reports – including ones that may affect security in one way or another – are nothing but commonplace in both open-source and non-open-source software worlds. There’s nothing groundbreaking or “exposing” – there’s no secret that programs have bugs and nobody ever denied that in context of PHP or made any claim that I know of that was disproved by publishing these bugs.

I also fail to see how the fact that PHP had 43 bugs (MOPB reported 46 issues, 3 of them not in PHP) in various versions and various modules could force anybody to “rethink of security in the open-source world”, whatever that might mean. Just for the right perspective, main PHP source has now around 80 extensions, issue count on bugs.php.net now nearing 45000 (of course, many of them bogus, but still). To compare, Firefox’s Bugzilla counter approaching 430000 by now. I do not know how many of the bugs reported can be thought of as security bugs, especially provided that many bugs not thought of as security problems per se could lead to security problems given suitable context. Probably a bunch of them. But I do not see how that leads to any “rethinking”. Of course it leads to the plain old thinking – how to fix such bugs and try and prevent future ones like them – but that’s how it always worked and always will work, nothing special.

I’m writing this not to cast any shadow on the list or Stefan Esser’s work. I just think while the recognition of the security research efforts is great, the sensationalist manner that was chosen by eWeek to describe it is just wrong.

5 thoughts on “the insecure nature

  1. Pingback: Top Posts « WordPress.com

  2. The security always were a priority. Well, one of the priorities of course, since there are others – such as usability, etc.

  3. I wouldn’t assign too much significance to the word choice in the article. Authors sometimes have to finish their article under time pressure, and they don’t always have a perfect understanding of every issue they cover. They do their best given the circumstances.

    I guess one interpretation, however, could be that bringing a collection of security-related bugs to greater exposure raised some consciousness in the PHP community that security should be a priority.

    I had a conversation with some other developers last ZendCon in which I shocked them by saying that security was not usually a priority in most IT projects. The group quickly said, “no, it’s very important, we need to urge people to pay attention to it!” I said, “yes, exactly. It is very important, but the fact that projects need to be urged to pay attention to it says that it isn’t already a priority in those projects.”

  4. Agreed, the statement “forced a rethink of security in the OS world” sounds rather silly. It actually sounds as if Stefan’s work had notable consequences much further than in PHP; that security experts in all OS projects stopped working what they were doing, and started thinking from a different perspective — the Sefan Esser Perspective. He caused a revolution in the security of OS. And, if nothing else, does the phrase “security in the OS world” even have a reasonable meaning? Shouldn’t security come with a context, be it an operating system, library, program or whatever? One can’t say “open-source software is insecure”, or even “is secure”, because being secure (or not) just isn’t a property of open source software.

    I respect Stefan’s work, but this is just plain nonsense.

  5. Indeed, saying that he “exposed the insecure nature of the PHP language” is completely inflammatory, because it suggests that PHP is inherently insecure compared to other languages, which is untrue. Of course, being an “enterprise” weekly, the author must have a bias towards more “secure” and enterprisey languages… 😉

Comments are closed.