[mahadazad]

Insecure code can be written in any language. Its not something that is built-in (to some extent its true). Its not the language to be blamed, but the one who is developing insecure code. PHP is bad reputed only due the the inexperienced developers. Actually, PHP is so easy to pick up that any one can start building stuff with it. PHP is a great language, it has some odd sides, but overall its a great language if you use it wisely.

[smt88]

While I agree in general, security holes can be (and often are) introduced at the interpreter level. PHP even has a project that attempts to patch these with an independent module[1].

A good security practice is to stand on the shoulders of giants. Just as Windows is highly secure because it's widely used and incessantly attacked, so are the major web software stacks.

1. http://www.suhosin.org/stories/index.html

[mod]

>> Just as Windows is highly secure

That's a bold statement.

I don't presume to know more than you, but I don't hear that sentiment echoed very often.

[smt88]

This depends on your definition of secure. The way I use it, "security" is the lowest level of vulnerability to the highest level of attack.

Some OS's (notably OS X a few years ago) are thought to be secure because their installed base is low, so they're low-value targets for attackers. Apple, in general, has a terrible track record with security, and OS X's lack of malware was just security by obscurity -- the vulnerabilities hadn't been discovered because no one was looking for them.

Windows, on the other hand, has been incredibly high-value target for decades. It has a huge installed base, and it's used by many governments, militaries, banks, and corporations.

For that reason, Microsoft has been forced to become a leading security organization. You can't keep selling massive contracts to governments and large corporations if you're vulnerable to malware.

There are obviously ways to misuse any tool, including an operating system. Many operating systems are insecure if you configure them incorrectly. My statement was just about the incredible volume of attacks that Windows is resistant to, simply because it's been attacked so heavily for so long.

[sarciszewski]

When something becomes more resilient the more it is damaged, it can be said to be antifragile.

However, a closed source product that is engineered centrally still has elements of fragility contained within it that you will not find in decentralized approaches. In the very long-run, antifragility wins over robust yet fragile systems.

That is one reason why I will consider GNU/Linux and BSD to be more secure than Windows. In the long run.

[sarciszewski]

GCHQ recently came out with a statement that Ubuntu is the most secure-by-default consumer grade OS out there.

http://insights.ubuntu.com/wp-content/uploads/UK-Gov-Report-...