|The stupid question is the question not asked|
Re: Use placeholders. For SECURITY!by sauoq (Abbot)
|on Nov 14, 2003 at 03:10 UTC||Need Help??|
Of course, I agree.
I understand why you were bothered by that node I wrote, but I'd appreciate it if you would re-examine the context in which I said it. It wasn't a node about database programming. It wasn't a node about CGI. It wasn't a node about security.
It was, in essence, a node about pacing your growth as a programmer.
In that node, I suggested that learning fundamentals was ever so much more important than learning details. The fundamental issue, in this case, is the security implication of untrusted input.
You wrote, "Escaping things yourself is better than nothing, but by and large the ones who know how to do it right also know enough reasons to use placeholders that they do that instead." And I agree. But then again, I'd rather employ someone who knows how to do right and uses placeholders than someone who uses placeholders because they saw an article on a website that told them they should "for security." The former's understanding would be far more valuable than the latter's best practices.
It's all too easy to focus on one or two small details and miss the forest for the trees. Yes, use placeholders. Yes, use tainting. Yes, have your DBA lock down the database to the best of his ability. Yes, use encryption. Yes, take every precaution you can and buy insurance (because you have to assume you're not secure anyway.)
The one thing I don't agree with in this article is the order that you put your 5 points. Number 4 ("Submit your code to code reviews.") should be number 1. You can't write secure code in a vacuum. If you neglect all of the other points, don't neglect this one. That way, someone can tell you that you are neglecting the others.
In further defense of my aforementioned node, I must note that I was addressing it to someone whose description of himself implied that he was a novice or maybe intermediate programmer. I could be wrong, but I didn't get the impression that he was writing ecommerce frameworks for a living. Yes, security is important, especially on the wild wild web; and it is paramount when you are handling other people's private data. But most people aren't.
Ecommerce is sexy and gets all the press but most programmers are probably writing code for relatively mundane, in-house, non-mission-critical tasks. Of course, this is a very good thing because most programmers don't know everything there is to know about security, and projects like these give them a way to gain experience and earn a living without jeopardizing your Visa account.
Finally, although I agree that the responsibility for security rests on the developers, it doesn't rest on the developers alone. For instance, that responsibility also lies with the people who hire the developers. Perhaps it should be suggested that they always ask interviewees to explain why using placeholders is so important. It seems, to me anyway, that addressing the meta-problem might actually be more effective.
-sauoq "My two cents aren't worth a dime.";