Not only is security not layered in from the start, and it's not taught to folks, I think there is a set of developers who don't think it's as important as it is. This is probably due to lack of training, because I don't think folks want to do a bad job, if they KNOW they are doing a bad job.
I view CGI security like nutrition education related to health care in the US. If everyone were taught it and understood it, from the very beginning, many problems would be avoided.
I did a code review for a woman who built a formmail.pl like script. She accepted "to" addresses straight from submitted form elements with no "validity" checking (like making sure only certain addresses could be mailed to, or better yet, taking email addresses right off the page and integrating them into her app), making her script (which she distributes on her website, BTW) ripe for hijacking by spammers. When I pointed this out to her, her response was "No one is going to bother to figure it out. Besides, I want my scripts to be usable by average humans."
Her point being that security by obscurity was enough, and that "security" ne "usability". My reply back was if you're doing something, you should do it RIGHT, and not protecting your users is a BAD THING. At least give them the option to have a secure script. If someone is going to install a freakin' script, they can make a list of valid email addresses (or maybe they shouldn't be using CGI scripts. . .) Anyway, she wanted to work collaboratively on a project with me. . .I think I'll pass on this one.
-Any sufficiently advanced technology is
indistinguishable from doubletalk.
Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
Read Where should I post X? if you're not absolutely sure you're posting in the right place.
Please read these before you post! —
Posts may use any of the Perl Monks Approved HTML tags:
You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
- a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
Link using PerlMonks shortcuts! What shortcuts can I use for linking?
See Writeup Formatting Tips and other pages linked from there for more info.
| & || & |
| < || < |
| > || > |
| [ || [ |
| ] || ] ||