All the Perl that's Practical to Extract and Report
use Perl Log In
Ovid (2709)
(email not shown publicly)
http://publius-ovidius.livejournal.com/
AOL IM: ovidperl (Add Buddy, Send Message)
Stuff with the Perl Foundation. A couple of patches in the Perl core. A few CPAN modules. That about sums it up.
Blindman's bluff and security audits
On the Perl Jobs mailing list, a job for a security audit of a mod_perl site was listed (the job is no longer in the database, though). While that seems straightfoward, the following information was supplied:
Audit the nlp.petamem.com pages which are written in perl (using mod_perl2) for security problems and other faults. You cannot have direct access to the site code, but we will provide you with all technical informations you need for auditing.
I've done white box security audits of code, but never something like this. Am I completely missing something? Do you even need to know Perl if you're not allowed to look at the code? How the heck can you "audit" something you're not allowed to see? The only thing I can think of is to spider the site and start throwing malformed input at everything and see what breaks. That's hardly an audit and would likely miss many problems. Are requests like this common in the security world? I know that penetration tests aren't uncommon, but asking for an audit of code you're not allowed to see is a different beast altogether.
I pour myself a cup of strong coffee. :-)
-- Jarkko Hietaniemi
blackbox audits (Score:1)
>never something like this. Am I completely
>missing something?
Actually yes. The difference between site audit and code audit.
>Do you even need to know Perl if you're not
>allowed to look at the code?
Yes - if the site is written in perl/mod_perl
you are expected to know the "common weaknesses"
and try the site for them.
If you will need (and as professional you will)
to go in deeper, you will have to ask for certain
information, which you probably wil