<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div align="center"><img alt="<image about how great PHP is>"
src="cid:part1.CF175557.A500BF39@immunityinc.com" height="282"
width="341"></div>
<p>Let's say you're a 20-person startup about to develop a
world-crushing combination of IRC and Sharepoint and Imgur. You
don't have any code yet, or maybe just a POC, but you know the
majority of your company relies on a solid and secure web app.
(Mobile apps are basically web apps for purposes here).</p>
<p>If you read books on SDL, they have an entire (super boring)
process for you to go through, and lately your security team has
hopped on the bandwagon of bug bounties, and they are woke as
hell. And in addition they are in Silicon Valley, and want to use
what their friends use. Their friends come from places like
Wikipedia, and Etsy, and Facebook, and they use PHP, but on HHVM,
which is a virtual machine for PHP that implements a JIT and some
saner defaults like disabling XXE in the default XML parser. Also,
you can use a new, exciting, statically typed Java-like language
Facebook wrote called "Hack". And they have <a
href="https://docs.hhvm.com/hack/XHP/introduction">XHP </a>which
allows the random strings you are pumping into HTML to be
typechecked automatically! <br>
</p>
<p>This is a bad idea, according to all available data. If you use
PHP, you will be faced with an unending set of flaws, both big and
small, and in addition, an unending set of new bug classes waiting
in the language like goblins under your Palo Alto bed, which is
next to your toilet and sink.</p>
<p>People go to their bug bounty programs and almost say "The more
money we hand out, the more it is working! Look how much we saved
instead of hiring full time security staff!" <br>
</p>
<p>But the failure is strategic. And while I cannot say what in
particular leads that language or this language to be more
expensive in the long term when it comes to security debt, any
consulting firm on the planet will tell you the same thing: we
find a ton more critical vulnerabilities at Immunity in code
bases that are in PHP than in other platforms, to the point where
the CHOICE of PHP alone is the driving factor behind your ongoing
security budget increases. That's just WHAT the data shows. I
don't know WHY this is true.<br>
</p>
<div align="center"><img alt="<perl is also great image>"
src="cid:part3.1CC01581.12EBC22C@immunityinc.com" height="377"
width="360"></div>
<p>Perl is another terrible choice - and one we still see a lot of!
And what we do in those cases, such as when massive companies
choose to use WordPress for their front page, is set up calls with
their staff and say "We love showing our value to you on
engagements with tons of critical vulnerabilities found, but we
recommend you move off WordPress to another platform at your
earliest possible convenience." I did one of these this week even!
It is never news to their CISO or their team. But having an
external voice say it is sometimes valuable.<br>
</p>
<p>"It's good enough for Facebook, therefor it's good enough for
me!" is not something you should say. They have an AI and they're
building their own drones so (I assume) they can shoot missiles at
hackers from the sky instead of having to fix their XSS and CSRF
problems from IDEs running in Oculus virtual reality headsets.
Just because your CEO wears a black hoodie does not mean this is
you!<br>
</p>
<p>If it's too late for your startup, then make a new rule: All new
code must be in Hack. It's not going to be as good as using
ASP.Net but it will over time reduce the interest rate you're
paying on your technical debt, and you may make it to some sort
of exit event. <br>
</p>
<p>-dave</p>
<p><br>
</p>
<p> <br>
</p>
<p><br>
</p>
</body>
</html>