http://qs321.pair.com?node_id=82633


in reply to Alternatives to Taint Checking?

Ovid, compliments on a great post..I know I'll be following any discussion on this thread with great interest

I have a few CGI scripts for the company that I work for, and I have recently come up against the same problem (I actually didn't want to install Perl on the webservers, so I took the really lazy way out and compiled the scripts into executables..), performance is an issue now, though, and both the compiled executables and conventional CGI scripts fail various load tests.. because of my employers committment to a Microsoft based server platform, I am also considering a move to ISAPI..

I wasn't aware of a tainting issue with ISAPI, but I can see one way around it...if the production and development servers are separated, because performance is not a big issue in the development servers, run Apache for Win32 and mod_perl and/or CGI scripts, and enable tainting... if a good test suite can be built (you really do need a separate QA unit, possibly running their own webservers, if needed), and if all the obvious taint checks are passed in the development servers, then, you can "promote" the script to run on the ISAPI based production servers (even with taint checks turned off)..

Its by no means a perfect solution, but given the restrictions which you have to work with (and these restrictions are the same ones that I work under as well), its the only way to ensure that some level of security checks are passed before a script runs in a production server...

Might I also add that nessus is a particularly useful piece of software for running automated security checks on servers.. it can't catch everything of course, but it does probe servers for the more common types of CGI and server vulnerabilities..
HTH