A lot of us write code which is available on the Net, whether it be network servers, application frameworks, mod_perl handlers, or CGI scripts. We have to think about security. I've recently done a security audit of some code at $work and the main thing I can say is thank god I wasn't doing a code review too ;-). Anyway, the most important thing to remember is that you shouldn't trust information that the user can change - that includes CGI parameters, HIDDEN form elements, and HTTP headers. Always quote DBI values - use bind parameters. Oh, and use warnings, strict and taint. That will catch most of your problems. I've recently read OWASP's A Guide to Building Secure Web Applications which contains most of the problems (but could go into a great deal more detail while describing solutions). Security is important, mkay?
I'm currently writing a talk, for possible use at next year's YAPC::Europe, that discusses how QIIS approached some of these problems when rewriting their core product. I was horrified to see how easy it was to break the code, and even more horrified that knowing that it was flawed, no-one had plugged the holes earlier!
With all the dangerous CGI scripts out there, $someone could make a killing out of a CGI Security book.
Re:A gap in the market
nicholas on 2002-10-08T16:29:24
With all the dangerous CGI scripts out there, $someone could make a killing out of a CGI Security book.I forsee a flaw in your cunning plan. You're assuming that the monkeys that write these dangerous CGIs realise that they ought to buy such a book
(And a more subtle flaw - that the non-monkeys aren't so arrogant to assume that they know everything already, and hence don't buy your book)
Re:A gap in the market
barbie on 2002-10-08T18:24:15
It is a flaw, but there enough very clever people about who have done talks about web security, that a joint venture might be better than the sum of the parts.I also think that, most well written and authoritive books, do eventually get the recognition they deserve.
With a bit of good karma from the community and well received press reviews, I would imagine many new perl CGI programmers might even be embarrassed to admit they don't have it.
Okay so I was wearing rose-tinted glasses for that last bit
;)