Among OWASP Top 10 vulnerabilities, the items are covered but it does not

mention about the criticality and risk level. It is rather a good idea and I

could refer to OWASP for that.

From this article, some are readily technology dependent especially for those

vulnerabilties related to PHP-based application. As more and more open source

portals and applications come out, people and companies are easily taking

advantage of it by purchasing a book and then install it. How about on-going

maintenance including patching, upgrade, monitor the vulnerability list? I could

say: Noone will do that especially for Small-to-Medium Business or personal web

forums. Most of the defacement, XSS and hacking cases could be found from those

PHP-based applications/portal. If you are curious about that, you could simply

go to Google and type in:

intext:"Page hacked by", it will show some sites being hacked before and a large

population is occupied by PHP.

It reminds me before we implement a web site or application, apart from studying

whether the intended technology could make our boss, developers and customers

happy, we should be serious about whether it will be a dessert for the hacker

and estimate support efforts including vulnerabilities patch, update and

security monitoring.

"It is not as easy as "Install, Next, Next, Next, Okay, finished!".

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/infocus/1864/576#576