|The stupid question is the question not asked|
Devil's (BSD) Advocateby Rex(Wrecks) (Curate)
|on Dec 07, 2001 at 23:03 UTC||Need Help??|
First let me state that I do agree with most of this post and with most of the comments so far and that this is a great rule of thumb.
However I would like to point a few things out as I write a ton of incredibly insecure code almost daily and get away with it:
Now I want to take the points I made and explain why I made them. I write code to test a suite of Network devices, ALL of this code is run on steril networks, and none of it needs to be secure, all I need to do is get the job done as fast as I can!
Please don't get me wrong, I have made security (specifically network security) my life's work and I am dedicated to making the Net and all of it's tributaries more secure, but there is a time and place for everything, and sometimes the advice I need does not require security. Sometimes I just need the quick and dirty way to do it.
I would however like to advocate Disclaimers for ANY code/advice you know to be even the slightest bit vulnerable! Just because You or I may not require the security in that situation doesn't mean that fair warning should not be posted.
The other point I would like to make is that many of the folks asking for advice here need to know HOW to do it in the first place and will worry about the security after proof of concept stage. Many posters already have a security model in place and are dealing with many of the concerns brought up, and just need some logic help.
I beleive some of the source of this post were the several posts about filenames and uploads using CGI.pm, and I agree that people should be VERY security aware when handing out advice for those situations, and should remember that they may be educating newbies to not only Perl, but also Programming in general, and installing good security practices at that stage of learning is critical.
I will probably get chewed on for this POV, but I am willing to sacrifice those XP :)
"Nothing is sure but death and taxes" I say combine the two and its death to all taxes!