[Dailydave] Startups that Use PHP on HHVM

[dave aitel]

<image about how great PHP is>

Let's say you're a 20-person startup about to develop a world-crushing
combination of IRC and Sharepoint and Imgur. You don't have any code
yet, or maybe just a POC, but you know the majority of your company
relies on a solid and secure web app. (Mobile apps are basically web
apps for purposes here).

If you read books on SDL, they have an entire (super boring) process for
you to go through, and lately your security team has hopped on the
bandwagon of bug bounties, and they are woke as hell. And in addition
they are in Silicon Valley, and want to use what their friends use.
Their friends come from places like Wikipedia, and Etsy, and Facebook,
and they use PHP, but on HHVM, which is a virtual machine for PHP that
implements a JIT and some saner defaults like disabling XXE in the
default XML parser. Also, you can use a new, exciting, statically typed
Java-like language Facebook wrote called "Hack". And they have XHP
<https://docs.hhvm.com/hack/XHP/introduction>which allows the random
strings you are pumping into HTML to be typechecked automatically!

This is a bad idea, according to all available data. If you use PHP, you
will be faced with an unending set of flaws, both big and small, and in
addition, an unending set of new bug classes waiting in the language
like goblins under your Palo Alto bed, which is next to your toilet and
sink.

People go to their bug bounty programs and almost say "The more money we
hand out, the more it is working! Look how much we saved instead of
hiring full time security staff!"

But the failure is strategic. And while I cannot say what in particular
leads that language or this language to be more expensive in the long
term when it comes to security debt, any consulting firm on the planet
will tell you the same thing: we find a ton more critical
vulnerabilities at  Immunity in code bases that are in PHP than in other
platforms, to the point where the CHOICE of PHP alone is the driving
factor behind your ongoing security budget increases. That's just WHAT
the data shows. I don't know WHY this is true.

<perl is also great image>

Perl is another terrible choice - and one we still see a lot of! And
what we do in those cases, such as when massive companies choose to use
WordPress for their front page, is set up calls with their staff and say
"We love showing our value to you on engagements with tons of critical
vulnerabilities found, but we recommend you move off WordPress to
another platform at your earliest possible convenience." I did one of
these this week even! It is never news to their CISO or their team. But
having an external voice say it is sometimes valuable.

"It's good enough for Facebook, therefor it's good enough for me!" is
not something you should say. They have an AI and they're building their
own drones so (I assume) they can shoot missiles at hackers from the sky
instead of having to fix their XSS and CSRF problems from IDEs running
in Oculus virtual reality headsets. Just because your CEO wears a black
hoodie does not mean this is you!

If it's too late for your startup, then make a new rule: All new code
must be in Hack. It's not going to be as good as using ASP.Net but it
will over time reduce the interest rate you're paying on your technical
debt, and you may make it  to some sort of exit event.

-dave




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20170317/b0f8fed8/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jAl801Q.jpg
Type: image/jpeg
Size: 140259 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20170317/b0f8fed8/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 4hSLz3f.png
Type: image/png
Size: 1516201 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20170317/b0f8fed8/attachment-0001.png>