[MAGZine]

I don't think an application written in PHP makes it inherently insecure. Maybe if you're talking about some 2004-style PHP with magicquotes and register globals enabled, but not in 2014 with a modern stack/framework. You could write a shitty ruby app just as easily as you can write a shitty php app.

[wdewind]

Writing your code in PHP, no matter how good of a programmer you are, makes it more likely that your natural level of mistakes will insert security issues into the code, especially when compared to a language with even basic features like static typing. I'm not saying this as some idiot who thinks PHP is bullshit and for noobs, I've worked on pretty large sites using PHP and I have a pretty deep understanding of it.

Everyone likes to say security is mission critical, but for the vast majority of people it really isn't. And for those people the development speed advantage, massive developer market, libraries etc. you get working in Ruby or PHP are well worth it.

Everything is tradeoffs, and it seems to me that in writing voting software deployability, development speed etc., are not nearly as mission critical as security.

[sarciszewski]

> Writing your code in PHP, no matter how good of a programmer you are, makes it more likely that your natural level of mistakes will insert security issues into the code

While I'm inclined to agree, this is a self-defeating premise. If you're "so good" of a programmer that you do not make security affecting mistakes (i.e. one of only a handful of PHP programmers I've met), then the probability of inserting "security issues" into your code is still zero, regardless of language.

> I'm not saying this as some idiot who thinks PHP is bullshit and for noobs, I've worked on pretty large sites using PHP and I have a pretty deep understanding of it.

Good. :)

[wdewind]

I don't understand your reply. No one is good enough to write code without bugs.

[sarciszewski]

> No one is good enough to write code without bugs.

This is congruent to saying, "Whitelists don't exist. Everyone implements poorly scoped black-lists."

[wdewind]

I literally have no idea what you mean by this. Are you trying to imply there are people who write bug free code? If so please point me in their direction.

People make mistakes. Systems should be designed for this expectation. If mistakes are extremely costly it implies you should use certain tools and development methodologies, if not you can use others.

[sarciszewski]

Code that is bug-free and code that is free of security-affecting bugs are not the same thing.

For an example of an application that is currently free of application-layer security bugs, see my blog. It's not a CMS, I wrote it myself. Go ahead and try to hack it. :P