Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine
 
PerlMonks  

Comment on

( #3333=superdoc: print w/ replies, xml ) Need Help??
First let me state that I do agree with most of this post and with most of the comments so far and that this is a great rule of thumb.

However I would like to point a few things out as I write a ton of incredibly insecure code almost daily and get away with it:
  • Point #1 - Not all of us write code for production environments or even multi-user machines
  • Point #2 - Writing secure code takes a lot of extra time, and I'm not saying it's not well spent, just another point
  • Point #3 - In some cases security is not neccisary, at all!
  • Point #4 - Giving "Good" security advice is nearly impossible these days, as there is someone who will disagree with whatever protocol/algorithm/tool/solution you recomend.
  • Point #5 - Security in code usually requires overhead of some sort.

    Now I want to take the points I made and explain why I made them. I write code to test a suite of Network devices, ALL of this code is run on steril networks, and none of it needs to be secure, all I need to do is get the job done as fast as I can!

    Please don't get me wrong, I have made security (specifically network security) my life's work and I am dedicated to making the Net and all of it's tributaries more secure, but there is a time and place for everything, and sometimes the advice I need does not require security. Sometimes I just need the quick and dirty way to do it.

    I would however like to advocate Disclaimers for ANY code/advice you know to be even the slightest bit vulnerable! Just because You or I may not require the security in that situation doesn't mean that fair warning should not be posted.

    The other point I would like to make is that many of the folks asking for advice here need to know HOW to do it in the first place and will worry about the security after proof of concept stage. Many posters already have a security model in place and are dealing with many of the concerns brought up, and just need some logic help.

    I beleive some of the source of this post were the several posts about filenames and uploads using CGI.pm, and I agree that people should be VERY security aware when handing out advice for those situations, and should remember that they may be educating newbies to not only Perl, but also Programming in general, and installing good security practices at that stage of learning is critical.

    I will probably get chewed on for this POV, but I am willing to sacrifice those XP :)

    "Nothing is sure but death and taxes" I say combine the two and its death to all taxes!

    In reply to Devil's (BSD) Advocate by Rex(Wrecks)
    in thread (OT) Security Rant by Ovid

    Title:
    Use:  <p> text here (a paragraph) </p>
    and:  <code> code here </code>
    to format your post; it's "PerlMonks-approved HTML":



  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • Outside of code tags, you may need to use entities for some characters:
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?
    Username:
    Password:

    What's my password?
    Create A New User
    Chatterbox?
    and the web crawler heard nothing...

    How do I use this? | Other CB clients
    Other Users?
    Others meditating upon the Monastery: (4)
    As of 2014-12-28 13:57 GMT
    Sections?
    Information?
    Find Nodes?
    Leftovers?
      Voting Booth?

      Is guessing a good strategy for surviving in the IT business?





      Results (181 votes), past polls