http://www.perlmonks.org?node_id=157271


in reply to web site design, or lack thereof

Not coming directly from a computer background, but enough interaction with it, it seems to me that security, or as someone else put it, "distrusting any user input", is not something typically taught in computer courses, or if it is, it's an afterthought to the rest of the course. True, this is usually not directly a language issue but more of a general programming design issue, but again, I've seen some CSE course listings that don't really have a design course at any point, only technology on top of technology. Even if you look at computer books, that security is not heavily emphasized (a quick memory flip through the ORA CGI mouse book doesn't bring any major security things in the early part of the book to mind, as one example,). In addition, as .NET and Java become more popular, with their 'sandbox' that too many ppl take security for granted, it's bound to continue to be as such. Thus, you get people like the above, or Matt's Script Archives, or other numerous examples.

Thus, IMO, this is something that needs to be fundamentally changed at the low-level of CSE-type programs as to encourage building design around security before any code is written, and to use the language to that advantage to follow insecure input. Perl's one of the few that has this feature with taint mode, but, by default, languages like C, C++, or Java lack it. Thus, it would take more work for those languages to adapt, but certainly not impossible.

-----------------------------------------------------
Dr. Michael K. Neylon - mneylon-pm@masemware.com || "You've left the lens cap of your mind on again, Pinky" - The Brain
"I can see my house from here!"
It's not what you know, but knowing how to find it if you don't know that's important