Beefy Boxes and Bandwidth Generously Provided by pair Networks
We don't bite newbies here... much
 
PerlMonks  

Re: Security techniques every programmer should know (Security References)

by eyepopslikeamosquito (Bishop)
on Dec 29, 2004 at 02:06 UTC ( #417902=note: print w/replies, xml ) Need Help??


in reply to Security techniques every programmer should know

Writing secure programs. Wow, that's a huge topic. Where to start? :-)

I suppose with some basic Perl references. The Camel Chapter 20 "Security" provides an excellent (and much more detailed than perlsec) overview of fundamental Perl security issues. This chapter is broken into: Handling Insecure Data, Detecting and Laundering Tainted Data, Defeating Taint Checking, Cleaning Up Your Environment, Accessing Commands and Files Under Reduced Privileges, Handling Timing Glitches (Unix Kernel Security Bugs, Handling Race Conditions, Temporary Files), Handling Insecure Code (Changing root, Safe compartments, Code Masquerading as Data).

The Perl Cookbook has recipes: 8.17 (Testing a File for Trustworthiness), 19.4 (Writing a Safe CGI Program), 19.5 (Executing Commands Without Shell Escapes).

Though the Safe module is described in the Camel, it's not safe according to Safe.pm considered unsafe?.

The venerable suidperl has apparently had all known insecurities plugged by Paul Szabo in Perl 5.8.4. However, "For new projects the core perl team would strongly recommend that you use dedicated, single purpose security tools such as sudo in preference to suidperl" (perl584delta).

Which leads me to an important general piece of security advice (simplifying outrageously): Keep up-to-date with the latest version of perl. Well, that's a bit over the top; keep an eye on security alerts and perldelta security bug fixes and upgrade your perl judiciously. Apart from Paul's heroic suidperl fixes, security bugs are being squashed all the time. For example, perl 5.8 introduced Hash Randomisation and ensuring that sort never goes O(n-squared). Despite these two important denial-of-service (DoS) improvements, Perl regular expressions remain a concern for DoS attacks, it being easy to write (and hard to detect) a regular expression that finishes after the heat death of the universe.

Application Security References

General Security References

Perl Security References

  • perlsec
  • perlsecpolicy
  • Storable (Some features of Storable can lead to security vulnerabilities if you accept Storable documents from untrusted sources with the default flags)

CPAN Security

  • CryptX - Cryptographic toolkit

Perl Monks Nodes related to CPAN Security

Perl Monks Security Related Nodes

Classics:

2022:

Earlier:

SQL related:

Other

Updated: Many extra references were added long after the original reply was made.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://417902]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others contemplating the Monastery: (6)
As of 2023-02-08 06:21 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    I prefer not to run the latest version of Perl because:







    Results (40 votes). Check out past polls.

    Notices?