Beefy Boxes and Bandwidth Generously Provided by pair Networks
Keep It Simple, Stupid

Is it Secure?

by cjf (Parson)
on Apr 09, 2002 at 22:53 UTC ( #157885=perlmeditation: print w/replies, xml ) Need Help??

I'm sure we've all been asked this at some point or another. Perhaps a friend asked you this question about their computer. Maybe your technologically savvy PHB (</sarcasm>) asked it about the program you're currently working on. It's a question that is asked every single day, and there is no correct answer.

The reason that there is no correct answer, is because the question is naive at best. No system can ever be completely secure. Stating that a system is 'secure' provides little information and begs the question 'secure from what.' Even the computer that's unplugged and encased in concrete in your basement is vulnerable to an earthquake.

All a system can be is secure enough that the chance of it being compromised is acceptable. This, of course, dictates that the amount of security required depends on the job you're doing. If you're storing highly sensitive data such as credit card numbers, increasing security should be a very high priority.

Security is, however, only one of many priorities. Increased security will often make your system more intrusive, harder to use, and will cost more in time, talent, and ultimately money. Increasing security is an investment, and it is important to assess how far you're willing to go to reduce your vulnerabilities to a certain level.

So how do you determine how much increased security is worth to your project? Developing a security policy that enforces basic security standards will give you an idea of how far you'll need to go out of your way to increase the security of your system or product. RFC 2196, a 'guide to developing computer security policies and procedures for sites that have systems on the Internet', serves as a good base example. Similar concepts can be applied to many other areas. In order to write an effective security policy you also need to know what your major vulnerabilities are. Attack Trees by Bruce Schneier suggests a method of modeling security threats and discovering what areas you need to focus on most.

Applying these concepts to developing web applications written in Perl is not difficult either. At the lower end of the spectrum you could just say all scripts placed online must use taint checking. Placing a slightly higher value on increased security you could require all scripts follow guidelines similar to those in Essential CGI Security Practices. Even though you can extend your policy and lessen vulnerabilities indefinately along this spectrum, your project will never be 'secure', it will only be more resistant to certain attacks.

Security is not an all or nothing issue.

Update: Added the third sentence in the second paragraph to clarify a point. Thanks for the suggestion podmaster :).

Replies are listed 'Best First'.
(podmaster) Re: Is it Secure?
by PodMaster (Abbot) on Apr 10, 2002 at 02:36 UTC
    I've seen a lot of talk about security lately, and I don't recall seeing anybody point out ZZambonis articles/talks on "Building an Intrusion Detection System with Perl".. Seeing how Security is a process/race, I felt this be relevant material (the eye in the sky is monitoring the race/process)

    Look ma', I'm on CPAN.

    ** The Third rule of perl club is a statement of fact: pod is sexy.
      Security is definitly a process!'s more like a marathon than just an all out race. You want to keep your opponents in close sight, be prepared to run for a long time, then haul ass when you need to.

      perl -e 'print reverse qw/o b n a e s/;'
Re: Is it Secure?
by japh (Friar) on Apr 09, 2002 at 22:58 UTC
    Security is not an all or nothing issue.

    To paraphrase a series of paraphrases, "Security is a journey, not a destination."

      Security is a journey, not a destination.

      I'd say it's more of a race between you and those who would exploit vulnerabilities in your system or program. The more resources you commit to going faster, the longer you can stay ahead of them. Keeping in mind the costs if they catch you, and adjusting your speed accordingly :).

        /me mumbles something about not having to be faster than the lion, just faster than you. :)

Re: Is it Secure?
by ajt (Prior) on Apr 10, 2002 at 08:16 UTC
    I've just started reading Secrets and Lies (ISBN 0471253111) by Bruce Schneier, seems to be an excellent book.

    I was recommended it from a node I saw here, but I can't find it, I did find the following, and suggest glancing at them too: Re: Bruce Schneier (I little OT); Book recommendation; and Secrets & Lies & Perl.

    My 2p.

    Update: I've now read this excellent book. In places it's a bit wordy, but overall it's a facinating read, and I would recommend it to anyone even thinking of security. Also see his web site for his latest newsletters.

Re: Is it Secure?
by ignatz (Vicar) on Apr 10, 2002 at 16:11 UTC
    I think that you fall into a real trap when you take an us/them approach to security. Security starts at home. Take a system that you are in charge of. Ask yourself how much damage you could do to it if you wanted to. Rate its security by your answer.
      `                                                   ` 
      I could completely wipe out a system that I'm "in charge of," else I'm not really in charge of it, am I? If you look at *users* of a system you're in charge of, I think you have a good point.

      Or am I missing your point entirely?

      Update: 2002-04-10 20:23 EDT - Somehow I always think of backups as distinct from security, though I know backups are part of security. Thanks for the reminder, ignatz.

      s!!password!;y?sordid?binger?; y.paw.mrk.;;print chr 0x5b ;;; print;print chr(0x5b+0x2);;;;;
        If you can wipe out a system and there is no way for someone to recover that system after you are fired then you are a single point of failure and it's not a secure system. My point really stems from the fact that most theft and damage is internal, not external.

        At one company where I was the lead developer I made it a point to not have root on any shared server. None of the programmers had root to production or central web servers. We each had our own server that we built and used CVS to manage the code. There was no single point of failure. I could decide to go postal at any time and the system was never at risk.

        Lucky for them I did, because after they fired us all , escorting us with armed guards from the building with one hours notice, the site wasn't at risk dispite our anger at the way we were treated. It ran safely for many months until they went bankrupt.

        Update after a few hours of sleep:Having all of the developers work in their own environment came not out of distrust, but from a desire to get beyond the BS that I've seen happen over and over in a centralized free for all environment: A stupid angry developer who decides to log in as someone else to try to make them look stupid. Product Managers who decide that they don't like the pace of things and decide to go in and change other peoples work without telling anyone. It's a lot of fun to tell people who ask for a root password "I don't have root and I built that damn thing, why the hell do you need it."

        I think that it's interesting when building something to play the game of imagining an opponent trying to break into my application who knows everything that I know. If I wanted to f___ with an web application what would I do, and how would I defend against myself, being that I'm the person most likely to be able to do the most damage.

          `                                                   ` 
Re: Is it Secure?
by Molt (Chaplain) on Apr 11, 2002 at 16:20 UTC

    I always thought the answer to 'Is it secure?' is 'No, and anyone that ever claims anything is secure is wrong'?

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlmeditation [id://157885]
Approved by dws
Front-paged by earthboundmisfit
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others romping around the Monastery: (4)
As of 2022-05-22 10:32 GMT
Find Nodes?
    Voting Booth?
    Do you prefer to work remotely?

    Results (80 votes). Check out past polls.