I'm used to dealing with Perl-FUD of many shapes and sizes, from "it's unmaintainable" to "it's not enterprise-ready" to "it's too slow^{1}". Today, though, I got a new one. My manager's manager's manager (manager^3, for short) is trying to put the brakes on a very nice project that happens to be mostly Perl code, on the grounds that "Perl is not secure."

As far as I can tell, manager^3 believes that this is the case because 'Perl has bindings into OS calls that bypass OS security'.

Fortunately, manager and manager^2 don't buy it. Manager^2 has asked me to disprove manager^3's misgivings. Now, I can certainly explain how Perl works, but that (a)will probably be beyond manager^3's ken, and (b)manager^3 will not be convinced by just my words alone.

I've Googled quite a bit, but can't really find what I'm looking for: a good article (not on someone's blog, unless they are a well-known technologist^{2}) that explains how Perl compares to .NET and/or Java in terms of security. FWIW, the application in question is to be installed on a RedHat Linux sever and run under mod_perl, so any suggestions specifically germane to that environment would be useful as a supplement to more general resources. Ultimately, any help I can get from the Monastery would be useful.

I know there are Monks here who could probably write and publish such a piece, and whose work would be respected, but I'd be happy with any reference I can get hold of. Unfortunately, time is short, I only have a few days to make my case that we don't need to ditch an entire product just because it's written in Perl.

Whatever material I find elsewhere, I will post here as well. Whatever I use, I will collect together and post, with a report on how it was received. When that happens, I will link to that post (probably a Meditation, I'd think) by updating this node as well.

Many thanks!

1. Granted, Perl is sometimes too slow, but usually people think it's a lot slower than it really is.
2. Doesn't have to be a household name, but someone who has done good work on something recognizable would be perfect.

Update:

Based on links provided below (thanks to those that read and understood that I needed external documentation, not just a technical explanation), and in collaboration with some savvy pro-Perl managers at my organization, I've come up with the following upper-management-friendly summary:

In general, Perl should be accepted as a secure development platform because:

1. The Perl interpreter is a standard OS executable binary, and can be controlled like any other application
2. Perl notices when an application is running under SetUID or SetGID, and forces "taint mode" -- a feature that requires the application validate data before passing it to potential injection targets.
3. Perl is a virtualized environment (like Java or .Net Managed Code), and thus prevents buffer overflows and other classes of vulnerability, making it a more-secure choice than C/C++ or .Net Unmanaged Code.

Additionally:

1. Perl is used extensively by many top enterprises:
   1. Morgan Stanley has widely been recognized has having one of the best IT departments in the financial industry: see http://conferences.oreillynet.com/cs/os2003/view/e_sess/4293, a presentation given on how Morgan Stanley uses Perl for command-line, GUI, and Web applications throughout their enterprise
   2. Citigroup, JPMorgan, UBS, Bank of America, Deutsche Bank and others all make use of Perl : http://perltraining.com.au/whyperl.html#who
   3. The Swedish government uses Perl to run its pension system: http://www.oreillynet.com/pub/a/oreilly/perl/news/swedishpension_0601.html
   4. The Canadian Customs and Revenue Agency uses a Perl-based system for document management and control (in a high-security setting): http://www.oreillynet.com/digitalmedia/blog/2002/06/perl_success_story_perl_provid.html
   5. The University Hospital of Lausanne, Switzerland manages its healthcare-billing system with Perl: http://www.oreillynet.com/windows/blog/2004/09/perl_success_story_easy_health.html
2. Gartner's list of main app development technologies is: .Net, J2EE, and LAMP. LAMP is Linux (and OpenSolaris), Apache, MySQL (and PostGres), and Perl, PHP, or Python.

This is not entirely final, so if others have something to add, please feel free to do so.

Updates:

• 20070907 : added marked 'Update' section