perlquestion
radiantmatrix
<p>I'm used to dealing with Perl-FUD of many shapes and sizes, from "it's unmaintainable" to "it's not enterprise-ready" to "it's too slow<sup><small>{1}</small></sup>". Today, though, I got a new one. My manager's manager's manager (manager^3, for short) is trying to put the brakes on a very nice project that happens to be mostly Perl code, on the grounds that "Perl is not secure."
<p>As far as I can tell, manager^3 believes that this is the case because 'Perl has bindings into OS calls that bypass OS security'.
<p>Fortunately, manager and manager^2 don't buy it. Manager^2 has asked me to disprove manager^3's misgivings. Now, I can certainly explain how Perl works, but that (a)will probably be beyond manager^3's ken, and (b)manager^3 will not be convinced by just my words alone.
<p>I've Googled quite a bit, but can't really find what I'm looking for: a good article (not on someone's blog, unless they are a well-known technologist<sup><small>{2}</small></sup>) that explains how Perl compares to .NET and/or Java in terms of security. FWIW, the application in question is to be installed on a RedHat Linux sever and run under mod_perl, so any suggestions specifically germane to that environment would be useful as a supplement to more general resources. Ultimately, any help I can get from the Monastery would be useful.
<p>I know there are Monks here who could probably write and publish such a piece, and whose work would be respected, but I'd be happy with any reference I can get hold of. Unfortunately, time is short, I only have a few days to make my case that we don't need to ditch an entire product just because it's written in Perl.
<p>Whatever material I find elsewhere, I will post here as well. Whatever I use, I will collect together and post, with a report on how it was received. When that happens, I will link to that post (probably a Meditation, I'd think) by updating this node as well.
<p>Many thanks!
<small>
<ol>
<li>Granted, Perl is sometimes too slow, but usually people think it's a lot slower than it really is.
<li>Doesn't have to be a household name, but someone who has done good work on something recognizable would be perfect.
</ol>
</small>
<hr><h4>Update:</h4>
<p>Based on links provided below (thanks to those that read and understood that I needed external documentation, not just a technical explanation), and in collaboration with some savvy pro-Perl managers at my organization, I've come up with the following upper-management-friendly summary:
<blockquote>
<p>In general, Perl should be accepted as a secure development platform because:
<ol>
<li>The Perl interpreter is a standard OS executable binary, and can be controlled like any other application
<li>Perl notices when an application is running under SetUID or SetGID, and forces "taint mode" -- a feature that requires the application validate data before passing it to potential injection targets.
<li>Perl is a virtualized environment (like Java or .Net Managed Code), and thus prevents buffer overflows and other classes of vulnerability, making it a more-secure choice than C/C++ or .Net Unmanaged Code.
</ol>
<p>Additionally:
<ol>
<li>Perl is used extensively by many top enterprises:<ol>
<li><strong>Morgan Stanley</strong> has widely been recognized has having one of the best IT departments in the financial industry: see [http://conferences.oreillynet.com/cs/os2003/view/e_sess/4293], a presentation given on how Morgan Stanley uses Perl for command-line, GUI, and Web applications throughout their enterprise
<li><strong>Citigroup, JPMorgan, UBS, Bank of America, Deutsche Bank</strong> and others all make use of Perl : [http://perltraining.com.au/whyperl.html#who]
<li>The <strong>Swedish government</strong> uses Perl to run its pension system: [http://www.oreillynet.com/pub/a/oreilly/perl/news/swedishpension_0601.html]
<li>The <strong>Canadian Customs and Revenue Agency</strong> uses a Perl-based system for document management and control (in a high-security setting): [http://www.oreillynet.com/digitalmedia/blog/2002/06/perl_success_story_perl_provid.html]
<li>The <strong>University Hospital of Lausanne</strong>, Switzerland manages its healthcare-billing system with Perl: [http://www.oreillynet.com/windows/blog/2004/09/perl_success_story_easy_health.html]
</ol>
<li><strong>Gartner</strong>'s list of main app development technologies is: .Net, J2EE, and LAMP. LAMP is Linux (and OpenSolaris), Apache, MySQL (and PostGres), and <em>Perl</em>, PHP, or Python.
</ol>
</blockquote>
<p>This is not entirely final, so if others have something to add, please feel free to do so.
<p><small><b>Updates:</b><ul type='square'>
<li>20070907 : added marked 'Update' section</li>
</ul></small></p>
<div class="pmsig"><div class="pmsig-375088">
<small>
<small><font color='#000000'><</font><font color='#1a1a1a'>–</font><font color='#343434'>r</font><font color='#4e4e4e'>a</font><font color='#686868'>d</font><font color='#828282'>i</font><font color='#9c9c9c'>a</font><font color='#b6b6b6'>n</font><font color='#d0d0d0'>t</font><font color='#eaeaea'>.</font><font color='#d0d0d0'>m</font><font color='#b6b6b6'>a</font><font color='#9c9c9c'>t</font><font color='#828282'>r</font><font color='#686868'>i</font><font color='#4e4e4e'>x</font><font color='#343434'>–</font><font color='#1a1a1a'>></font></small>
<!--<-</small><b>radiant</b>.<b>matrix</b><small>-></small-->
<br><a href='http://radiantmatrix.org/'>Ramblings and references</a>
<br><em>The Code that can be seen is not the true Code</em>
<br><em>I haven't found a problem yet that can't be solved by a well-placed [http://en.wikipedia.org/wiki/Trebuchet|trebuchet]</em>
</small>
</div></div>