Java is Insecure
Java is insecure.
There, I've said it. I'm not a Java developer, and I really don't know the
ins-and-outs of Java development, but that doesn't stop me being ignorant like
the rest of them.
I'm at work, and a few minutes ago there was a mini-PHP bashing session. First,
the guy opposite me was explaining to me how PHP is vulnerable to SQL injection
attacks. My response was implying that he should stop coding Java applications
without Hibernate (or any other DAO/ORM) and see how far that gets him with
security. The same thing for PHP - I use ORM/DAO tools to assist my development
(not only is it more secure, but i find it much more productive. Win!).
The problem I find is more about education. As a developer, he
understands SQL injection, and if necessary, he could protect himself
against it. In an ideal world there's automated tools that manage the protection
for you (because human error is just too common). It seems too many PHP
"developers" are not educated enough to deal with the implicit risks involved in
using PHP, or (as mentioned), the human error/laziness kicks in, and security is
overlooked. Maybe there's not the budget for it. Either way, PHP itself is not
at fault.
So then I migrated over to join the slightly larger group of people bashing PHP.
As I arrived, I was immediately recognised as 'the guy' that would have a vague
idea about what was in question. They were discussing how a site had been
developed in PHP and there was talk of issues integrating a mobile side of the
app, and a guy chirped in saying 'well, I'd probably want to use Java for that'.
Understandable, he knows Java - it's only natural. He mentioned that it was
because they have libraries to assist with that kind of stuff, and went on to
say that PHP couldn't do that same stuff. That's where he crossed the line.
Honestly, I have no idea if PHP has libraries to help out, but that's far from
the point. He was saying how he can use a single tag to generate a different
sized image based on the client's mobile device.
So, the fact that Java has libraries written makes PHP an inferior platform?
I just find it awfully arrogant. I mean, I entirely understand where he's
coming from, and I agree that too many PHP applications are insecure and do
things the "long way", but they don't all have to be like that. What was Java
development like before Spring, Hibernate and whatever else is a buzzword in
Java these days? I remember talk of EJBs and Struts, which was all met with
winces of agony - no one wanted to do it. Same deal? Did that make Java any less
attractive? Apparently not.
This is awfully one side, and trust me, I know there's a right tool for every
job. But I think blind language bashing is just cheap ignorance.
There are many, many more facets to the PHP vs Java argument which people
should be much more considerate of. Java, whilst being powerful, is certainly
not the tool for every job.
Go team.
Many more days like this to come, I anticipate.
There, I've said it. I'm not a Java developer, and I really don't know the
ins-and-outs of Java development, but that doesn't stop me being ignorant like
the rest of them.
I'm at work, and a few minutes ago there was a mini-PHP bashing session. First,
the guy opposite me was explaining to me how PHP is vulnerable to SQL injection
attacks. My response was implying that he should stop coding Java applications
without Hibernate (or any other DAO/ORM) and see how far that gets him with
security. The same thing for PHP - I use ORM/DAO tools to assist my development
(not only is it more secure, but i find it much more productive. Win!).
The problem I find is more about education. As a developer, he
understands SQL injection, and if necessary, he could protect himself
against it. In an ideal world there's automated tools that manage the protection
for you (because human error is just too common). It seems too many PHP
"developers" are not educated enough to deal with the implicit risks involved in
using PHP, or (as mentioned), the human error/laziness kicks in, and security is
overlooked. Maybe there's not the budget for it. Either way, PHP itself is not
at fault.
So then I migrated over to join the slightly larger group of people bashing PHP.
As I arrived, I was immediately recognised as 'the guy' that would have a vague
idea about what was in question. They were discussing how a site had been
developed in PHP and there was talk of issues integrating a mobile side of the
app, and a guy chirped in saying 'well, I'd probably want to use Java for that'.
Understandable, he knows Java - it's only natural. He mentioned that it was
because they have libraries to assist with that kind of stuff, and went on to
say that PHP couldn't do that same stuff. That's where he crossed the line.
Honestly, I have no idea if PHP has libraries to help out, but that's far from
the point. He was saying how he can use a single tag to generate a different
sized image based on the client's mobile device.
So, the fact that Java has libraries written makes PHP an inferior platform?
I just find it awfully arrogant. I mean, I entirely understand where he's
coming from, and I agree that too many PHP applications are insecure and do
things the "long way", but they don't all have to be like that. What was Java
development like before Spring, Hibernate and whatever else is a buzzword in
Java these days? I remember talk of EJBs and Struts, which was all met with
winces of agony - no one wanted to do it. Same deal? Did that make Java any less
attractive? Apparently not.
This is awfully one side, and trust me, I know there's a right tool for every
job. But I think blind language bashing is just cheap ignorance.
There are many, many more facets to the PHP vs Java argument which people
should be much more considerate of. Java, whilst being powerful, is certainly
not the tool for every job.
Go team.
Many more days like this to come, I anticipate.