[PhantomGremlin]

Since you're referred to in that article as a "security engineer", I'll ask the following:

I know nothing of PHP other than its reputation. But apparently ownCloud is written in PHP and JavaScript. And PHP has its own "Security" section in its Wikipedia entry. And it has a reputation for security problems.

So, how "secure" (whatever that means) is ownCloud / Nextcloud? Has security been a problem for this software in real life?

[LukasReschke]

Happy to answer this. First of all: Makes using a specific programming language a software much less secure? Probably not. You can do mistakes in every programming language. But since a lot of software is written in PHP and there are also many unexperienced PHP developers this reflects kinda bad on the language.

There is often the perceiption that ownCloud would be insecure because we have so many advisories. But these are just there because we proactively look for security vulnerabilities and patch them. (see also https://statuscode.ch/2015/09/ownCloud-security-development-...)

Oh! And we also run a bug bounty program for ownCloud and Nextcloud will have one with probably even higher rewards soon! - HackerOne did even do a case study with us so it can't be too bad ;) (https://hackerone.com/resources)

[dozzie]

> First of all: Makes using a specific programming language a software much less secure? Probably not.

Quite the contrary, most probably yes. Mistakes happen, but different languages make different kinds of mistakes impossible or very easy. You can't get segfault when manipulating strings in Perl or Python, while in C it takes plenty of effort to avoid.

[jospoortvliet]

That is true, yes. Base ruby or C or PHP make it easy to make entire classes of mistakes you won't get using certain other languages.

But many of these problems can also be caught using the right tools and framework. With Ruby, using Rails will eliminate entire groups of risks you would have without it.

This is the same with PHP and frameworks like Symfony - which, incidentally, we use large parts off. And Lukas has been working a LOT on doing this kind of work, making sure we eliminate types of problems and mistakes developers could make. Combined with training (giving talks and workshops on writing secure code to our developers at events), code reviews by him and others, static code checking and so on, you get something that is really quite secure.

I am confident enough to say that our code base is the most secure way of sharing and syncing files using open source. Of course, before you or somebody else brings it up, SSH and rsync makes for a more secure experience but that's not exactly what Nextcloud competes with so perhaps add 'that gives a dropbox-like experience' to the above qualification :D