@files = <*.c>;             # insecure (uses readdir() or similar)
@files = glob('*.c');       # insecure (uses readdir() or similar)

# In either case, the results of glob are tainted, since the list of
# filenames comes from outside of the program.

##</code><code>##

#!perl -T

use 5.032;
use warnings;
...
my @prefixes = qw{...};
my @suffixes = glob '{,x}{,y}{,z}';
...
for my $prefix (@prefixes) {
    for my $suffix (@suffixes) {
        my $name = join '_', $prefix, split //, $suffix;
        # run is(...) test with $name here
    }
}

##</code><code>##

        my $tainted_name = join '_', $prefix, split //, $suffix;
        $tainted_name =~ /^(.+)$/;
        my $name = $1;
        # run is(...) test with $name here