Re: How to answer "Perl is not secure" objections?

Is he a Java guy? If so, he's probably thinking of how Java can prevent programs from accessing certain things (e.g. the filesystem). However, since any non-trivial Java program needs to access the filesystem, this type of permission will be granted immediately. It's more relevant for things like applets than it is for programs you would write in-house.

In terms of things to read, here are three good ones:

The perlsec manpage, which makes it clear how serious the developers of Perl are about security.
The security chapter from O'Reilly's CGI programming book published in 2000 (and still totally relevant).
merlyn's column about SQL injection safety.

The most important point to make, IMO, is that security is a feature of programmers and their process, not of languages. There is no reason to think that a .NET or Java program that accessed a database and some files is more secure than a Perl program that does the same.

Comment on Re: How to answer "Perl is not secure" objections?

Replies are listed 'Best First'.
Re^2: How to answer "Perl is not secure" objections? by radiantmatrix (Parson) on Sep 06, 2007 at 21:03 UTC
Is he a Java guy? No, he's upper management. We're beyond the pale of tech-savvy at this point. The guy believes this because someone he trusts (probably a vendor) told him so. What I'm looking for is essentially literature that talks about how secure Perl is, or speaks to other big-name orgs using Perl for "high-risk" data like financial transactions. Something digestible for the upper-manglement set. <–radiant.matrix–> Ramblings and references The Code that can be seen is not the true Code I haven't found a problem yet that can't be solved by a well-placed trebuchet	[reply]
Re^3: How to answer "Perl is not secure" objections? by kwaping (Priest) on Sep 06, 2007 at 22:18 UTC
You can find some great information about big-name organizations (and governments) using Perl here: http://www.oreillynet.com/pub/a/oreilly/perl/news/success_stories.html I'm positive you can find some juicy tidbits for your side of the debate there. --- It's all fine and dandy until someone has to look at the code.	[reply]
Re^3: How to answer "Perl is not secure" objections? by perrin (Chancellor) on Sep 07, 2007 at 03:51 UTC
Well, Amazon.com and TicketMaster.com run millions of dollars of business through their websites, which are written in perl. That seems like a pretty solid case to me.	[reply]
Re^3: How to answer "Perl is not secure" objections? by CountZero (Bishop) on Sep 07, 2007 at 16:37 UTC
As was told during the latest YAPC::EU job fair, VERISIGN uses Perl! If I remember well, they have about a million lines of Perl code in their applications and they are still actively seeking Perl programmers (see Perl Jobs). If Perl was inherently insecure, should a company like Verisign use it? CountZero A program should be light and agile, its subroutines connected like a string of pearls. The spirit and intent of the program should be retained throughout. There should be neither too little or too much, neither needless loops nor useless variables, neither lack of structure nor overwhelming rigidity." - The Tao of Programming, 4.1 - Geoffrey James	[reply]


Clear questions and runnable code get the best and fastest answer
	PerlMonks