in reply to Security techniques every programmer should know
Writing secure programs. Wow, that's a huge topic. Where to start? :-)
I suppose with some basic Perl references. The Camel Chapter 20 "Security" provides an excellent (and much more detailed than perlsec) overview of fundamental Perl security issues. This chapter is broken into: Handling Insecure Data, Detecting and Laundering Tainted Data, Defeating Taint Checking, Cleaning Up Your Environment, Accessing Commands and Files Under Reduced Privileges, Handling Timing Glitches (Unix Kernel Security Bugs, Handling Race Conditions, Temporary Files), Handling Insecure Code (Changing root, Safe compartments, Code Masquerading as Data).
The Perl Cookbook has recipes: 8.17 (Testing a File for Trustworthiness), 19.4 (Writing a Safe CGI Program), 19.5 (Executing Commands Without Shell Escapes).
Though the Safe module is described in the Camel, it's not safe according to Safe.pm considered unsafe?.
The venerable suidperl has apparently had all known insecurities plugged by Paul Szabo in Perl 5.8.4. However, "For new projects the core perl team would strongly recommend that you use dedicated, single purpose security tools such as sudo in preference to suidperl" (perl584delta).
Which leads me to an important general piece of security advice (simplifying outrageously): Keep up-to-date with the latest version of perl. Well, that's a bit over the top; keep an eye on security alerts and perldelta security bug fixes and upgrade your perl judiciously. Apart from Paul's heroic suidperl fixes, security bugs are being squashed all the time. For example, perl 5.8 introduced Hash Randomisation and ensuring that sort never goes O(n-squared). Despite these two important denial-of-service (DoS) improvements, Perl regular expressions remain a concern for DoS attacks, it being easy to write (and hard to detect) a regular expression that finishes after the heat death of the universe.
Application Security References
- Application security aka AppSec (wikipedia)
- Dynamic application security testing (wikipedia)
- Static application security testing (wikipedia)
- Fuzzing aka Fuzz Testing (wikipedia)
- Application service architecture (wikipedia)
- Computer emergency response team (wikipedia)
- Runtime application self-protection (wikipedia)
- Security information and event management (wikipedia)
- Cross-site scripting (wikipedia)
- SQL injection (wikipedia)
- Code injection (wikipedia)
- Denial-of-service attack (wikipedia)
- XML external entity attack (wikipedia)
- Billion laughs attack (wikipedia) (denial-of-service attack aimed at XML parsers)
- Fork bomb (wikipedia)
- Zip bomb (wikipedia)
- Email bomb (wikipedia)
- Black fax (wikipedia)
- Busy beaver (wikipedia)
- How do I check a valid mail address (perldoc faq)
- Writing Secure Code (book)
- Secure Coding in C and C++ (book)
Static Program Analysis
- Static program analysis (wikipedia)
- Coverity (wikipedia)
- CodeSonar (wikipedia)
- Clang Static Analyzer
- ZARN - security code analysis for perl by Discipulus (2023)
- Ideas Wanted for Perl::Critic Security Policies by jthalhammer (2006)
- Perl::Critic Policy Themes (see policies that relate to security issues)
- CERN Computer Security Information: Perl::Critic
- CERN Computer Security Information: RATS
- Perl Critic distributions and policies (perlmaven)
Dynamic Program Analysis
- Dynamic program analysis (wikipedia)
- Valgrind (wikipedia)
- Code sanitizer (wikipedia)
General Security References
- Software development security (wikipedia)
- Computer security (wikipedia)
- Computer security software (wikipedia)
- Data security (wikipedia)
- Information security aka InfoSec (wikipedia)
- Open-source software security (wikipedia)
- Open Source Security Foundation (wikipedia)
- Open Security Foundation (wikipedia)
- IT risk management (wikipedia)
- Information security management (wikipedia)
- ISACA (wikipedia)
- Certified Information Systems Security Professional (wikipedia)
- Common Vulnerabilities and Exposures aka CVEs (wikipedia)
- OWASP Open Web Application Security Project (wikipedia)
- OWASP.org
- OWASP Top Ten (the most critical security risks to web applications)
- Security testing (wikipedia)
- Penetration test (wikipedia)
- Race condition (wikipedia)
- Heisenbug (wikipedia)
- Cryptography (wikipedia)
- SHA-1 (wikipedia)
- MD5 (wikipedia)
- HMAC (wikipedia)
- Comparison of cryptographic hash functions (wikipedia)
- Wi-Fi Protected Access (WPA) (wikipedia)
- Public-key cryptography (wikipedia)
- Public key infrastructure (wikipedia)
- Key management (wikipedia)
- Key Management Interoperability Protocol (wikipedia)
- Key server (wikipedia)
- keypair (wiktionary)
- OpenKMIP (wikipedia)
- OpenSSL (wikipedia)
- Comparison of cryptography libraries (wikipedia)
- Comparison of TLS implementations (wikipedia)
- Password (wikipedia)
- Passphrase (wikipedia)
- Password manager (wikipedia)
- Password policy (wikipedia)
- Password cracking (wikipedia)
- Password psychology (wikipedia)
- Password-based cryptography (wikipedia)
- Multi-factor authentication (wikipedia)
- Vault by HashiCorp
- Alternatives to HashiCorp Vault
- Oracle secure external password store
- Oracle wallet
- Transport Layer Security (TLS)
- Comparison of TLS implementations
- Certificate authority
- FreeTDS (mentioned by Tux in Re: DBI connecting to MS SQL Server TLS 1.2)
- GNU Privacy Guard (wkikpedia)
- Pretty Good Privacy (wikipedia)
- Web of trust (wikipedia)
- Key signing party (wikipedia)
- Retroshare (wikipedia)
Perl Security References
- perlsec
- perlsecpolicy
- Storable (Some features of Storable can lead to security vulnerabilities if you accept Storable documents from untrusted sources with the default flags)
CPAN Security
- CPAN (see SECURITY section)
- Module::Signature
- CryptX - Cryptographic toolkit
- CPAN faq
- CPAN Security Advisory Database (CPANSA)
- CVE CPAN Security Vulnerabilities
- CPAN (wikipedia)
- Stack overflow question (How do I know if I can trust a CPAN module?)
- Security stack exchange question (Perl CPAN modules in a PCI-DSS environment)
- Bug #130819 for CPAN: default urllist config is insecure (RT)
- Adding HTTPS support to CPAN (github)
- Addressing CPAN vulnerabilities related to checksums (blog by Neil Bowers)
- Signature Verification Vulnerabilities in CPAN.pm, cpanminus and CPAN::Checksums (Hackeriet blog)
Perl Monks Nodes related to CPAN Security
- HSTS policy breaks cpan utility on Windows by syphilis (Nov 2019)
- CPAN clients exposed to sig-related vulnerabilities by hippo (Nov 2021)
- sometimes no Perl news is good news by zentara (Nov 2021)
- OT. Malicious software in PyPI by parv (July 2021)
- Re^7: pod2html: link (L<...>) formatting code (timeloop) by choroba (Dec 2021) (advising kcott to delete all checksums due to a CPAN vulnerability)
- SOLVED: Key Not Certified in CPAN by dorko (Feb 2022) (same CPAN checksum problem as kcott above)
- Libraries and security by davies (May 2022)
- Possible security problem in CPAN modules / CVE-2018-25032 by cavac (Mar 2022) - zlib compression library, CVE-2018-25032
- Re: Testing with Test::Mock::Tiny::HTTP by kcott (2023) - mentions CVE-2023-31486 (HTTP::Tiny before 0.083 has an insecure default TLS configuration where users must opt in to verify certificates)
- Security Checks for CPAN Module Authors by localshop (2018)
- Blatant security problem in certain CPAN module installs by toma (2004)
- LWP::UserAgent and Passphrase protected Certificates by Sifmole (2005) - mentions LWP::UserAgent, IO::Socket::SSL, Net::SSLeay
- Re: THREE new perl releases by kcott (Nov 30 2023) - original node by Tux (Nov 26) notes perl 5.38.1/5.36.2/5.34.2 fix CVE-2023-47038 and CVE-2023-47039 (Test::CVE also mentioned)
CPAN and Package Manager Security:
- Re^7: Meaning of XS object version (CPAN and Package Manager Security References) by me (July 2023)
- cpan/cpanm integrity and authenticy checks concerns by hrcerq (July 2021) - my reply
- package managers still vulnerable: how to protect your systems (2009)
- Attacks on package managers (2009)
- signify: Securing OpenBSD From Us To You
- Certificate authority (wikipedia)
- Web of trust (wikipedia)
Perl Monks Security Related Nodes
Classics:
- Calling External Commands More Safely by haukex
- "open" Best Practices by haukex
- Re: Hiding your Script (Security through Obscurity References)
- Re: Check for another program availability (Running External Processes on Unix and Windows References)
String Eval vs Block Eval:
- The safety of string eval and block eval. by TrixieTang (2016)
- Re^3: Create sort function from a text file (string eval vs block eval) by me (2021) (Do not resort to eval-string if other means are available)
- Re: Create sort function from a text file by haukex (2021) (note that running untrusted code from a text file is a security risk)
- Re: Loading PERL Module from scalar in RAM? by haukex (2023) (answer to your question is likely eval, although of course that comes with serious security considerations if the code being executed is not 100% under your control)
- Re: I failed today by bliako (2023)
Taint Mode:
- How to disable taint checking by Perl? by dissident (2023)
- Mojolicious FAQ - There is no benefit at all to using taint mode
2022-2024
- PerlMonks Certificate Expired by harangzsolt33 (2023) - Perl Monks site down for a couple of days from Sep 18 2023
- The Quickest Way to Set Up HTTPS by NERDVANA - The Quickest Way to Set Up HTTPS (blogs.perl.org)
- Getting Started with GnuPG and GPG by derby (2002)
- Unable to get any decrypted output from $gpg->verify by xuo (Aug 2023) - question about Crypt::GPG (Perl interface to GNU Privacy Guard aka GnuPG or GPG)
- anti csrf token & Penetration testing by djlerman (Aug 2023)
- Using AnyEvent to create a TLS server by Bodger (Aug 2023)
- Proper and acceptable use of backticks in a modern Perl script by Polyglot (Sep 2023)
- error_know_host error by BernieC (Oct 2023)
- libexpat vulnerability by phew47 (Feb 2022)
- Getting an SSL Certificate Expiration Date by enemyofthestate (Feb 2022)
- In 2022, my preferred method to securely store passwords is: poll by cavac (Jan 2022)
- Solved: Getting an Access Token by PerlMonger79 (Mar 2022)
- Crypt::OpenPGP does not support .kbx ring format? by richelectron (Mar 2022)
- Hashing passwords? by edwyr (Apr 2022)
- Running user-provided JavaScript code by cavac (Apr 2022)
- Critique of some perl code. by jwkrahn (Apr 2022) (see shell code injection response by aitap)
- NTLM Authentication w/ Internal Site by DanEllison (May 2022)
- IO::Socket::SSL with http proxy tunnel? by lembark (June 2022)
- Google OAuth and Get User Info by WindyJMusic (June 2022)
- IO::Socket::SSL / Net::SSLeay inefficient in non-blocking mode ? by Yaribz (June 2022)
- Any security holes? by Limbomusic (June 2022) (see also appending to html at beginning by the same author from 2017)
- Re^3: Doubt about Template Toolkit by hippo (July 2002) (passing raw SQL in a query string like this sets off all sorts of security Klaxons)
- Re^3: Regex: match a word stem plus an optional suffix from a group by Your Mother (2022) (escape interpolated stuff in regexen to avoid DoS attacks)
- Re^2: Big cache by cavac (Aug 2022) (annoyance of needing to be root to listen to network ports below 1024)
- Allowing regex entries in web form to search database: Risks or gotchas? by Ployglot (Aug 2022) (allow user to enter regex in a web form?)
- WWW::Mechanize and SSL by Jonathan (Aug 2022) (SSL certificate question)
- get ssh key passphrase from agent by ninto1 (Aug 2022) (trying to connect Simpack to a high performance cluster via SSH)
- Re^7: Getting values with help of curl by afoken (Sep 2022) (shell injection vulnerability with curl ... you wouldn't notice something is wrong when someone managed to manipulate the DNS and make your script connect to the wrong server presenting a wrong certificate, because you explicitly switched off certificate verification (curl -k a.k.a. curl --insecure) )
- Re: Use a Serialized Hash... When It Might Not Exist? by afoken (Nov 2022) (security issues associated with serialization and XML)
- Re: null output on program by haukex (Nov 2022) (security issues associated with Calling External Commands More Safely)
- Path Traversal Vulnerability (Dec 2022) (useful replies from haukex)
- Re^3: how to escape round parentheses in a system call by haukex (June 2023) (security issues associated with Calling External Commands More Safely)
- ZARN - security code analysis for perl by Discipulus (April 2023) (zarn: "a lightweight static code security analysis for Modern Perl Applications")
- Re: Onkeyup not working by haukex (2023) - mentions Mojo::Template and how to check an email address
- Serious vulnerability in Spreadsheet::ParseExcel (SOLVED) by Cody Fendant (2024) - vulnerability in Spreadsheet::ParseExcel
- Not understanding the code to drop privileges in perlsec by Nocturnus (2024) - for "Insecure $ENV{PATH}" messages, you need to set $ENV{'PATH'} to a known value, and each directory in the path must be absolute and non-writable by others than its owner and group
Earlier:
- Re^5: PSGI/Plack unsatisfactory performance by Your Mother (Dec 2021)
- creating a secure environment for perl scripts to run by Aldebaran (Dec 2021)
- Debugging a module that's failing under taint mode by Bod (July 2021)
- Prefer Pure Perl Core Modules by Leitz (July 2021)
- Re^3: Rediscovering Hubris by me (2021)
- SEI Perl book? by EvanCarroll (2019)
- cpan.search links blocked by Norton Internet Security by BillKSmith (2017)
- Security techniques every programmer should know by Juerd (2004) (I replied)
- Safe.pm considered unsafe? by dragonchild (2004)
- Secure Perl Coding Standards by Binford (2009)
- Status of Recent User Information Leak by Co-Rion (Jul 30 2009)
- How to answer "Perl is not secure" objections? by radiantmatrix (2007)
- Why do you have to worry about Brute Force Attacks? by anonymonk (2006)
- Ideas Wanted for Perl::Critic Security Policies by jthalhammer (2006)
- Perl Training Australia's Security notes released by pjf (2006)
- Is it Secure? by cjf (2002)
- (OT) Security Rant by Ovid (2001)
- Stay aware of security by tilly (2001)
- Is this code secure, can I test it on my machine? by szabgab (2010) (I replied)
- Perl Cryptography - Seeking Resources by ljamison (2016)
- OT: Storing encryption keys securely by Beatnik (2017) (I replied)
- Couldn't start TLS: SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed by rich101v2 (2014)
- Password Protect a Perl Script by smart_amorist (2013)
- Re^2: security: making sure graphics uploaded by users are safe by afoken (2009)
- Paranoid about web application security by perleager (2005)
- Web Application Security Testing by ghenry (2005)
- how could i make "them" understand that security IS important ? by iza (2002)
- Managers can't see security by perrin (2002)
- Web Security by merlyn (2002)
Two nodes with the same title :)
- Password Encryption by anonymonk (2002)
- Password encryption by vasanth.easyrider (2018)
- How can a script use a password without making the password visible? by Cody Fendant (2017)
- Accessing passwords in a script by nysus (2017)
- Hide DBI password in scripts by danielgr (2018)
- Re^4: The 10**21 Problem (Part 4) (Python hash function C code protection against DoS attacks)
- On Coding Standards and Code Reviews (see Security section)
- Effective Automated Testing (see Security references)
- Writing Solid CPAN Modules
- Unix shell versus Perl and this response (compares Perl security to Unix shell, taint mode, setuid, environment variables, functions vs external commands)
- Re: Perl Memory problem ... (Memory Tools References)
- web site design, or lack thereof by merlyn (2002)
- Re: •web site design, or lack thereof by Fletch (2002) (security is a process, not just a checkbox plus a book recommendation)
- Security Is Hard Not Easy - Re: •web site design, or lack thereof by metadoktor (2002) (contains some computer security links)
SQL related:
- Best practices for closing database connections? by Polyglot (2022)
- Re^3: Best practices for closing database connections? by hippo (2022)
- Re^7: Best practices for closing database connections? by Fletch (2022)
- Re^7: Best practices for closing database connections? by marto (2022)
- Re^2: processing PSQL with system command by g_speran (2022)
- DBI connecting to MS SQL Server TLS 1.2 by PearlNovice (2019 - see response by Tux)
- [SOLVED] HMAC_SHA1 Implementation for WPA by return0 (2014) - anony necropost reply in 2024 Re^3: HMAC_SHA1 Implementation for WPA
Golf :-)
- The golf course looks great, my swing feels good, I like my chances (Part III) - the PHP md5 and sha1 functions proved well-suited to creating PHP magic formulae
Other
- NT LAN Manager aka NTLM (wikipedia)
- Alice and Bob (wikipedia)
- Diffie-Hellman key exchange (wikipedia)
- Bruce Schneier (wikipedia)
- Applied Cryptography (book)
- Reflections on Trusting Trust (by Ken Thompson)
Updated: Many extra references were added long after the original reply was made.
|
---|