All the Perl that's Practical to Extract and Report

Security

acme on 2002-10-08T14:27:05

A lot of us write code which is available on the Net, whether it be network servers, application frameworks, mod_perl handlers, or CGI scripts. We have to think about security. I've recently done a security audit of some code at $work and the main thing I can say is thank god I wasn't doing a code review too ;-). Anyway, the most important thing to remember is that you shouldn't trust information that the user can change - that includes CGI parameters, HIDDEN form elements, and HTTP headers. Always quote DBI values - use bind parameters. Oh, and use warnings, strict and taint. That will catch most of your problems. I've recently read OWASP's A Guide to Building Secure Web Applications which contains most of the problems (but could go into a great deal more detail while describing solutions). Security is important, mkay?

A gap in the market

barbie on 2002-10-08T15:42:14

I've been waiting for a book that actually goes into decent detail about this, but have yet to find anything.

I'm currently writing a talk, for possible use at next year's YAPC::Europe, that discusses how QIIS approached some of these problems when rewriting their core product. I was horrified to see how easy it was to break the code, and even more horrified that knowing that it was flawed, no-one had plugged the holes earlier!

With all the dangerous CGI scripts out there, $someone could make a killing out of a CGI Security book.

Re:A gap in the market

nicholas on 2002-10-08T16:29:24

With all the dangerous CGI scripts out there, $someone could make a killing out of a CGI Security book.

I forsee a flaw in your cunning plan. You're assuming that the monkeys that write these dangerous CGIs realise that they ought to buy such a book

(And a more subtle flaw - that the non-monkeys aren't so arrogant to assume that they know everything already, and hence don't buy your book)

Re:A gap in the market

barbie on 2002-10-08T18:24:15

It is a flaw, but there enough very clever people about who have done talks about web security, that a joint venture might be better than the sum of the parts.

I also think that, most well written and authoritive books, do eventually get the recognition they deserve.

With a bit of good karma from the community and well received press reviews, I would imagine many new perl CGI programmers might even be embarrassed to admit they don't have it.

Okay so I was wearing rose-tinted glasses for that last bit ;)