Beefy Boxes and Bandwidth Generously Provided by pair Networks
Think about Loose Coupling
 
PerlMonks  

Comment on

( #3333=superdoc: print w/ replies, xml ) Need Help??

Security is never a “product.”   It is a process.   Therefore, no security-testing “product, alone” would have any meaning, even if you did find one.   (And of course, you can.   Snake-oil sells well.)

Having said all that, I do have a few idle thoughts about what I'd consider to be things that you should keep in mind with regard to the security of your Perl-based web site:

  1. Your Perl version, and your web-site software whatever it is, should be kept up-to-date.   This allows you to keep abreast of the updates that are from time to time provided by the various software suppliers.   Keep abreast of discussions that happen right here.
  2. Most intrusions into a web-site are actually “out-of-band.”   No one penetrated the defenses of the web-site:   they went around it, just as the Germans defeated the Maginot Line by rendering it obsolete.   Therefore, pay most attention to the operating-system environment, to the integrity of your shared-hosting vendor, and to thoroughly hardening your dedicated-host environment.   (For example, if you are using a “convenient” tool like Plesk, you are most-likely already $DEAD $BEEF, and don’t blame Perl for that.)
    • Somehow, this quote from the above-referenced Wikipedia article seems especially apropos:   “Generals always fight the last war, especially if they have won it.”
  3. The coding practices of your entire system must be such that a Bobby Tables attack cannot by any means be mounted.   No “magic tool” on the planet can help you with this:   either your code is invulnerable to it by design, or you are $DEAD $BEEF and the entire world (except you, fool) already knows about it .
  4. “Security” of a web-site is the kid-brother of “Total Reliability.”   It is completely astonishing to me how many production web-sites are out there which I can drop into 500 Internal Error just by innocently selecting a particular menu-option or pressing a particular button that the programmer did not bother to test.   (Quite literally, only one path through the application has ever been swept for mines.   No wonder the customers are unhappy.)   There are plenty of tools such as Selenium by which a thorough front-end functionality test can be built and automated, and even driven using Perl.   (There are, at this writing, 45 hits for “Selenium” at http://search.cpan.org.)   But it is very, very rarely done.
    • More than one time this year, I have been morally and pragmatically obliged to say to a (potential) client:   “Well, sir, before we can discuss enhancements to your web-site, first we must stabilize it, because right now I can drop it on its a*s more-or-less at will..”   This is not always popular ... or profitable ... but of course I won’t pick-up a client (or wish to, for I would surely lose much money...) whose understanding of their true business condition is less than realistic.


In reply to Re: Web Application Security Vulnerability testing by sundialsvc4
in thread Web Application Security Vulnerability testing by squimby

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • Outside of code tags, you may need to use entities for some characters:
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?
    Username:
    Password:

    What's my password?
    Create A New User
    Chatterbox?
    and the web crawler heard nothing...

    How do I use this? | Other CB clients
    Other Users?
    Others romping around the Monastery: (2)
    As of 2014-09-22 02:24 GMT
    Sections?
    Information?
    Find Nodes?
    Leftovers?
      Voting Booth?

      How do you remember the number of days in each month?











      Results (177 votes), past polls