9/6     I need to write a Highly Secure (like banking/gambling level security)
        web application.
        Is Java any more secure than php (ceteris paribus).
        And what is the best way to go about getting an outside agency that
        will do a thorough audit when i'm done.  I don't need some h0zer to
        run a nessus/SAINT scan and throw it on some letterhead.
        \_ i'd trust java a bit more than php.  it's actually a main dev
           concern, where with php it seems like it's been an afterthought.
           take it with a grain of salt.  i'm a sysadmin, not a developer.
        \_ Concerning audits, I would do two types;  first of all, don't
           underestimate h0zers with nessus/SAINT.  Peer review is a Good
           Thing (tm).  Don't hesitate to ask people you know to hammer away
           at it.  You'll also, for the suits, want a (mainly pro-forma)
           formal audit--depending on your level of funding, you might want
           either a consultancy that does a lot of security work, like kpmg
           (ugh, disclaimer, I think they're all pretty worthless, but this
           is for the suits, remember), or one of any number of smaller
           outfits to have a go at it.  Otherwise, you can probably find
           someone CISA certified through ISACA (http://www.isaca.org with
           strong application audit clue.  If that's no good, mail me and
           I can probably help you find someone, obBlatantPlug.  -John