comment on

First let me state that I do agree with most of this post and with most of the comments so far and that this is a great rule of thumb.

However I would like to point a few things out as I write a ton of incredibly insecure code almost daily and get away with it:

Point #1 - Not all of us write code for production environments or even multi-user machines

Point #2 - Writing secure code takes a lot of extra time, and I'm not saying it's not well spent, just another point

Point #3 - In some cases security is not neccisary, at all!

Point #4 - Giving "Good" security advice is nearly impossible these days, as there is someone who will disagree with whatever protocol/algorithm/tool/solution you recomend.

Point #5 - Security in code usually requires overhead of some sort.

Now I want to take the points I made and explain why I made them. I write code to test a suite of Network devices, ALL of this code is run on steril networks, and none of it needs to be secure, all I need to do is get the job done as fast as I can!

Please don't get me wrong, I have made security (specifically network security) my life's work and I am dedicated to making the Net and all of it's tributaries more secure, but there is a time and place for everything, and sometimes the advice I need does not require security. Sometimes I just need the quick and dirty way to do it.

I would however like to advocate Disclaimers for ANY code/advice you know to be even the slightest bit vulnerable! Just because You or I may not require the security in that situation doesn't mean that fair warning should not be posted.

The other point I would like to make is that many of the folks asking for advice here need to know HOW to do it in the first place and will worry about the security after proof of concept stage. Many posters already have a security model in place and are dealing with many of the concerns brought up, and just need some logic help.

I beleive some of the source of this post were the several posts about filenames and uploads using CGI.pm, and I agree that people should be VERY security aware when handing out advice for those situations, and should remember that they may be educating newbies to not only Perl, but also Programming in general, and installing good security practices at that stage of learning is critical.

I will probably get chewed on for this POV, but I am willing to sacrifice those XP :)

"Nothing is sure but death and taxes" I say combine the two and its death to all taxes!

In reply to Devil's (BSD) Advocate by Rex(Wrecks)
in thread (OT) Security Rant by Ovid

Are you posting in the right place? Check out Where do I post X? to know for sure.
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
Want more info? How to link or How to display code and escape characters are good places to start.


Pathologically Eclectic Rubbish Lister
	PerlMonks