Beefy Boxes and Bandwidth Generously Provided by pair Networks
Don't ask to ask, just ask
 
PerlMonks  

Re: Secure Perl Coding Standards

by mr_mischief (Monsignor)
on Apr 07, 2009 at 16:52 UTC ( [id://756081]=note: print w/replies, xml ) Need Help??


in reply to Secure Perl Coding Standards

One place to look is in the standard Perl documentation. See perlsec especially, which is all Perl security info. Also look at perltaint. There is security info in the open, system, and exec portions of perlfunc and more in perlopentut. Some of the info in perltrap is security related.

Entire books have been written on the idea of secured programming which might help you formulate your standard. Secure Coding: Principles and Practices is one such book on the topic of writing secure code. Writing Secure Code, Second Edition is another, and some sample material from that is available at this MS Press page for the book (which even includes some Perl info in the examples). Security Forest has books on secure coding rated, including the two above.

brian d foy has online a sample from his book Mastering Perl that deals with security. I'd recommend buying the book if you find it helpful. Other Perl books make some reference to security, too.

There's a tutorial about security of Perl applications at http://www.perlcode.org.

Secure web programming is mentioned at http://advosys.ca/papers/web/61-web-security.html. You might not be doing web programming, but don't forget your application domain has its own security issues no matter the language. Make sure you have standards in place for the application domains, too.

Read up on vulnerabilities and consider how to avoid them. Knowing what you're securing against is one of the best ways to formulate how you're going to secure something.

Above all, remember that untested security is likely very little security at all. Most security errors slip through from a lack of black-box testing of the code at its boundaries. Write tests to check boundary conditions and even completely invalid inputs that are unlikely to occur. Any interface to the user is an interface to a fuzzing tool.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://756081]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others cooling their heels in the Monastery: (7)
As of 2024-03-28 21:03 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found