Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • I think that's a typical attitude though. I often encounter Java programmers who assume there is nothing they would need to think about with regard to security because Java will magically do it all for them.

    On the other hand, people like Chris Shiflett can make good money fixing security problems in other people's PHP code, and I wouldn't want to deny him his rent. Bring on the bad code!
  • You should add that reply, or something like it, to the course.
  • I now understand enough about security, to know that I don't actually know all that much. I'm now more careful than I use to be, and I think the code I write is safe enough.

    This week I've started to learn about a SAP system. For security reasons the root password on the AIX and Linux boxen it runs on are changed every 90 days - an unpopular feature that an auditor insisted on, yet nobody bats an eye lid that they are all running telnet, rsh and NFS unprotected on the company intranet. Contrasting this we

    --
    -- "It's not magic, it's work..."
  • In most of the Stonehenge courses we talk about security, and we definitely hit it hard in the CGI course. We even have a separate course for web security where we try to cover everything. It's not that Perl is the problem, but that task, since you can make the same design and configuration problems in almost any language.

    I think the difference with open source stuff is that we are willing to talk about it and fix it. Most people don't see it that way though: they don't want to hear about it.
  • When you compare perl to other languages, it has a much more security-aware in its main user-base and is designed to be secure as much as possible.

    Things like a wide variety of ready-rolled strong encryption libraries and integration with standard SSL and SSH libraries, as well as the taint mode put it well ahead of languages like PHP, ASP and Cold Fusions.

    The culture of testing and defensive programming is also stronger than in some other cultures - Java programmers are certainly hot on testing (at lea

    --

    @JAPH = qw(Hacker Perl Another Just);
    print reverse @JAPH;
  • ... of how an attack might happen, might open their eyes. I find SQL Injection Attacks by Example [unixwiz.net] a very readable intro... and it's language neutral.