Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris
 
PerlMonks  

Re: how could i make "them" understand that security IS important ?

by Joost (Canon)
on Sep 10, 2002 at 10:37 UTC ( #196609=note: print w/ replies, xml ) Need Help??


in reply to how could i make "them" understand that security IS important ?

I am sorry to tell you that you AND your collegues are (probably) not producing secure code here. If there is one rule for server security it's this:

Never trust the client

No matter how hard you filter and check the input in your client program, there is in fact no way for you to be sure the client hasn't been compromised. Think for instance about an HTML form with javascript checks on the input. Anyone can turn javascript off, write an anternative form, write an alternative client with LWP etc etc etc. This is (at least theoretically) true for every client program.

You MUST test the input on the server side if you are going to do any potentionally dangerous things with it.

To answer your question though, the best way to demonstrate a security hole is to demonstrate exploiting it. Gather your coworkers around, enter some invalid data and see the system crash (or worse). Good security is not something that is achieved with only good intentions, it takes real effort and studying to do it right.

A very good guide to the various problems in this area can be found at the Open Web Application Security Project. Read it and let others read it. At the very least it will give your coworkers some feel for the variety of the problems.

-- Joost downtime n. The period during which a system is error-free and immune from user input.


Comment on Re: how could i make "them" understand that security IS important ?
Download Code

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://196609]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others examining the Monastery: (5)
As of 2014-09-18 06:44 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    How do you remember the number of days in each month?











    Results (108 votes), past polls