Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical
 
PerlMonks  

Devil's (BSD) Advocate

by Rex(Wrecks) (Curate)
on Dec 07, 2001 at 23:03 UTC ( #130277=note: print w/ replies, xml ) Need Help??


in reply to (OT) Security Rant

First let me state that I do agree with most of this post and with most of the comments so far and that this is a great rule of thumb.

However I would like to point a few things out as I write a ton of incredibly insecure code almost daily and get away with it:

  • Point #1 - Not all of us write code for production environments or even multi-user machines
  • Point #2 - Writing secure code takes a lot of extra time, and I'm not saying it's not well spent, just another point
  • Point #3 - In some cases security is not neccisary, at all!
  • Point #4 - Giving "Good" security advice is nearly impossible these days, as there is someone who will disagree with whatever protocol/algorithm/tool/solution you recomend.
  • Point #5 - Security in code usually requires overhead of some sort.

    Now I want to take the points I made and explain why I made them. I write code to test a suite of Network devices, ALL of this code is run on steril networks, and none of it needs to be secure, all I need to do is get the job done as fast as I can!

    Please don't get me wrong, I have made security (specifically network security) my life's work and I am dedicated to making the Net and all of it's tributaries more secure, but there is a time and place for everything, and sometimes the advice I need does not require security. Sometimes I just need the quick and dirty way to do it.

    I would however like to advocate Disclaimers for ANY code/advice you know to be even the slightest bit vulnerable! Just because You or I may not require the security in that situation doesn't mean that fair warning should not be posted.

    The other point I would like to make is that many of the folks asking for advice here need to know HOW to do it in the first place and will worry about the security after proof of concept stage. Many posters already have a security model in place and are dealing with many of the concerns brought up, and just need some logic help.

    I beleive some of the source of this post were the several posts about filenames and uploads using CGI.pm, and I agree that people should be VERY security aware when handing out advice for those situations, and should remember that they may be educating newbies to not only Perl, but also Programming in general, and installing good security practices at that stage of learning is critical.

    I will probably get chewed on for this POV, but I am willing to sacrifice those XP :)

    "Nothing is sure but death and taxes" I say combine the two and its death to all taxes!


  • Comment on Devil's (BSD) Advocate
    Re: Devil's (BSD) Advocate
    by sparkyichi (Deacon) on Dec 08, 2001 at 00:47 UTC
      Practicing Good Habits is always a good idea. Shortcuts are always bad. I understand what you are saying and it is entirely a matter of opinion, but I just don't think it is a good idea to condone or rationalize knowingly marking your code insecure.

      Sparky

      BTW It will give you a + for challenging the system. :)
        Valid point, and to clarify...I don't knowingly make my code insecure. I try to practice Good Habits. My point was that I don't spend the extra time and effort to truly bullet proof my code simply due to it's use. Most of my code would only take a few modifications to make bullet proof, the problem is that the modifications in question take a lot of time, both to develop and to test. And since security is almost always a time trade (IE: any encryption can be broken, but will the data be obsolete by the time it is broken?) I usually focus more on stability than security for my situation. Again, for me that is a good trade.

        I would also like to reiterate that I DO agree with the original post, and my reply was NOT meant to advocate sloppiness! It was meant as the "time and place for everything" side of this equation.

        And yes that means the original post got a ++ from me, because it was well thought out and presented, and more importantly...RIGHT!

        "Nothing is sure but death and taxes" I say combine the two and its death to all taxes!

    Log In?
    Username:
    Password:

    What's my password?
    Create A New User
    Node Status?
    node history
    Node Type: note [id://130277]
    help
    Chatterbox?
    and the web crawler heard nothing...

    How do I use this? | Other CB clients
    Other Users?
    Others scrutinizing the Monastery: (12)
    As of 2014-08-21 07:49 GMT
    Sections?
    Information?
    Find Nodes?
    Leftovers?
      Voting Booth?

      The best computer themed movie is:











      Results (128 votes), past polls