Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

Ovid (2709)

Ovid
  (email not shown publicly)
http://publius-ovidius.livejournal.com/
AOL IM: ovidperl (Add Buddy, Send Message)

Stuff with the Perl Foundation. A couple of patches in the Perl core. A few CPAN modules. That about sums it up.

Journal of Ovid (2709)

Monday March 31, 2003
12:19 PM

Blindman's bluff and security audits

[ #11341 ]

On the Perl Jobs mailing list, a job for a security audit of a mod_perl site was listed (the job is no longer in the database, though). While that seems straightfoward, the following information was supplied:

Audit the nlp.petamem.com pages which are written in perl (using mod_perl2) for security problems and other faults. You cannot have direct access to the site code, but we will provide you with all technical informations you need for auditing.

I've done white box security audits of code, but never something like this. Am I completely missing something? Do you even need to know Perl if you're not allowed to look at the code? How the heck can you "audit" something you're not allowed to see? The only thing I can think of is to spider the site and start throwing malformed input at everything and see what breaks. That's hardly an audit and would likely miss many problems. Are requests like this common in the security world? I know that penetration tests aren't uncommon, but asking for an audit of code you're not allowed to see is a different beast altogether.

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • >I've done white box security audits of code, but
    >never something like this. Am I completely
    >missing something?

    Actually yes. The difference between site audit and code audit.

    >Do you even need to know Perl if you're not
    >allowed to look at the code?

    Yes - if the site is written in perl/mod_perl
    you are expected to know the "common weaknesses"
    and try the site for them.

    If you will need (and as professional you will)
    to go in deeper, you will have to ask for certain
    information, which you probably wil