http://qs321.pair.com?node_id=74706

belize has asked for the wisdom of the Perl Monks concerning the following question:

Is there a proper procedure to check a freeware/shareware/commercial script for level of security?

We have a customer that needs a message system similar to infopop's Ultimate Bulletin Board, but needs to be sure that it is secure and that they can control who can post and READ the postings with a basic level of confidence (knowing that most computers linked to the Internet can be hacked).

Also, I was under the impression that a secure server (SSL) only secures data while transferring, and does not really effect the security of files on the server. Is that a correct assumption?

Replies are listed 'Best First'.
Re: Checking script for security level
by arturo (Vicar) on Apr 23, 2001 at 17:53 UTC

    That kind of security is pretty tough to assess. I don't see there being an automated tool for that sort of thing, because assessing the risk level of any method requires an understanding of the technology involved (cookies, URL mangling, etc.) , what kind of clients are going to use it (can people read this from public kiosks, or can you tie them down to a particular (group of) workstations?), and human psychology. A lot also depends on how you're identifying individuals. Can you use cookies AND SSL? If so, you might set a cookie with a session ID and the 'secure' flag set to identify your users. Look up "MD5" on this site for some pointers on generating good session IDs.

    As for protecting the security of the files on the server, anything that can't be made to run safely under taint mode (-T) should be avoided.

Re: Checking script for security level
by suaveant (Parson) on Apr 23, 2001 at 17:44 UTC
    Yes on that second part... It protects data as it is transferred, so that people trying to snoop the transmission can't read passwords and data that gets sent back and forth, but the stuff like user handling and passwords and sessions are entirely up to the program, and have nothing to do with SSL
                    - Ant
Re: Checking script for security level
by dws (Chancellor) on Apr 23, 2001 at 19:41 UTC
    Security can be indeed be tough to assess, though there is one automatic disqualier that's easy to check: Do the scripts survive taint checking?

    Slightly harder, but still doable, is to inspect each file open to verify that any filenames that have been passed in have been correctly de-tainted. (I.e., did the programmer really taint check, or did they do the minimal to make the warning go away?)

    The rest is application specific.