[ale] Seven Deadly Sins

Transam bob at verysecurelinux.com
Thu Jun 12 19:28:46 EDT 2003


On Tue, Jun 10, 2003 at 06:09:26PM -0400, Sean Kilpatrick wrote:
> Our own Bob Toxen spoke on the seven deadly sins of Linux
> security at the Linux Forum last week in Santa Clara, Calif.
> A new story on his talk is available at:
> <http://searchenterpriselinux.techtarget.com/originalContent/0,289142,sid39_gci904844,00.html>

> and if that doesn't work, try this link:

> <http://makeashorterlink.com/?R2FE121E4>


> Interesting read.

My talk there was based on my book.  In both I gave the reasons for
my recommendations.  The article referenced above did not include those
reasons.

Regarding PHP, I recommended against using it because the program itself
has had a recent history of lots of severe security vulnerabilities.
Thus, even if one uses it correctly, one's system is at significant
risk of compromise.  I am fond of saying that security is not convenient.
In this case, it means find another solution.  I put IIS in the same
category, but more so.

In the book I also give recommendations for secure programming techniques
that include having all code audited by someone knowledgeable in auditing
for security problems.  I also point out that many programmers who do
CGI programming, including PHP, are not knowledgeable in how to write
code that avoids security vulnerabilities.

For those that don't want to take my word, have a look, if you dare, at:

     http://www.na-tech.com/

That web site presently is compromised and "owned" by a cracker.
It happens to be IIS rather than PHP.  There may be a risk to
vulnerable browsers.  (Thanks to Jonathan Glass who told me about it.)

> Sean

Bob Toxen
bob at verysecurelinux.com               [Please use for email to me]
http://www.verysecurelinux.com        [Network&Linux/Unix security consulting]
http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.

"Microsoft: Unsafe at any clock speed!"
   -- Bob Toxen 10/03/2002
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale





More information about the Ale mailing list