Re: ACKKKKKKKKK! I Have been cracked!

Actually, I'm very glad you posted this for it raised something that's been eating at my ethics for some time.

We're told many things about what were suppose to do regarding security:

Use CGI
-wT
use strict
fix paths
avoid backticks
untaint only the most minimally supported values
Don't include unnecessary (and unencrypted) data (prices, passwords, etc) as hidden or cookie fields.

Yet, I can find few specific examples of supposedly secure scripts. I see many things that aren't, but I see few discussions of what actually works.

I mean, it may be one thing to know that MSA sucks or that SS's shopping carts are *insecure*, but where do we find examples that *are* secure?

Apologies for going a bit left field on you, but if you think about it...that's what I think I lot of us want to do. What common, simple, and *specific* things can we do to write scripts that won't keep us awake at nights, fretting about what we don't know? What's the difference between memes/CCP/STO vs. what actually works?

--f

Update: Added a couple of new items based on a later CB conversation.

Comment on Re: ACKKKKKKKKK! I Have been cracked!

Replies are listed 'Best First'.
(Ovid - secure software) Re(2): ACKKKKKKKKK! I Have been cracked! by Ovid (Cardinal) on Apr 03, 2001 at 11:07 UTC
footpad wrote: I mean, it may be one thing to know that MSA sucks or that SS's shopping carts are insecure, but where do we find examples that are secure? Good question. I see that the Reviews section has places to discuss books and modules, but not software. I don't know that it would be appropriate to list software there (too much software, too few people able to adequately judge them), but it would be nice to find a source we could trust. For example, Minivend (now owned by Akopia) was considered secure. A recent "crack our box" contest found a vulnerability (an input field forgot to strip the pipe character), but it was fixed quickly. I don't know if that package is still safe, but I noticed something curious when I worked with it: the author didn't use taint checking! Here we have a widely used package that seems to be secure, but doesn't use taint checking. I certainly would not care to recommend it simply for that reason, but what is one to do? Is there anything out there that really meets our exacting standards yet is useful, robust, and scalable? I'm not suggesting that one compromise, I'm merely asking if there really is freely available software that we could recommend? Ovid walks away, grumbling and muttering to himself that ideals may be castles in the sky. Cheers, Ovid Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.	[reply]

Replies are listed 'Best First'.

(Ovid - secure software) Re(2): ACKKKKKKKKK! I Have been cracked!
by Ovid (Cardinal) on Apr 03, 2001 at 11:07 UTC

footpad

I mean, it may be one thing to know that MSA sucks or that SS's shopping carts are *insecure*, but where do we find examples that *are* secure?

Reviews

trust

Akopia

Here we have a widely used package that seems to be secure, but doesn't use taint checking. I certainly would not care to recommend it simply for that reason, but what is one to do? Is there anything out there that really meets our exacting standards yet is useful, robust, and scalable? I'm not suggesting that one compromise, I'm merely asking if there really is freely available software that we could recommend?

Ovid walks away, grumbling and muttering to himself that ideals may be castles in the sky.

Cheers,
Ovid

Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

[reply]