in reply to Secure CGI

YO! The best thing you need to do is to think and don't ask. It's good to get some advice but it's pretty dangerous sometimes. Security starts at you and not from the other's concepts. Do not open source your program if it needs security. How can u call it secured if u let other people know what's inside. * The best solution is always your self. Trust your self and you shall see cya, AgentKelly

Replies are listed 'Best First'.
RE: Re: Secure CGI
by Malkavian (Friar) on Oct 27, 2000 at 13:13 UTC
    Actually, I'd beg to differ.
    A lot of talk goes the "Security by obscurity" route. I.e. Don't release source, don't let anyone know what you're doing.
    Part of the job I do involves system security, and if there's one thing that's apparent, security through obscurity doesn't work.
    If you close your source, and don't let anyone know what's inside it, then you will almost definately miss something (if the app is sufficiently sizable).
    And there will be someone out there able to crack it.
    However, a good code review by a grouip of experienced and good coders will bring a good many of these to light. And in the end, they have almost as much to lose as you do.
    By giving advice, they're actually laying part of their reputation on the line, and reputation is pretty important to the open source community in general (well, far as I know so far.. :) )..
    Anyhow, the anonymous troll like monk that posted before this kinda killed his own argument.
    "Take nobody's advice but your own" is advice, which he's suggesting you don't take, so, should be ignored.
    Advice is a good thing, as long as you remember it's just that. Advice. What you do with it is up to you..
    My personal thoughts on things are "Get the bugs found before programs hit production level where someone else will..". Code reviews are the best way I know to do that..

    Just my tuppence worth,

    Malk
[reply]
(jcwren) Re: (2) Secure CGI
by jcwren (Prior) on Oct 27, 2000 at 16:02 UTC
    I agree with you pretty much on this, but consider this: Why give away hints? If you use the file extentsion .cgi, a would-be cracker (not a hacker) has no idea if you're using Perl, C, Ruby, COBOL, or whatever to do your CGI. You use .pl, and you've given away a pretty good hint you're running Perl.

    Now, your code review has passed, everything is fine, and 3 months later someone discovers a latent problem in CGI.pm or Perl itself. Is someone more likely to try that new exploit against a site they see with .cgi scripts, or .pl scripts?

    Security through obscurity is a bad policy to rely on to hide bad programming, but it's a good policy to help make it more difficult for someone to work against you.

    After all, if you have a safe in your home, do you put up a sign saying 'safe is in basement'?

    --Chris

    e-mail jcwren
[reply]

In Section Seekers of Perl Wisdom