Beefy Boxes and Bandwidth Generously Provided by pair Networks
Your skill will accomplish
what the force of many cannot
 
PerlMonks  

comment on

( [id://3333]=superdoc: print w/replies, xml ) Need Help??
I agree 100% with you, Ovid, on the need for this type of tutorial / book. Security must be built in from the beginning. The problem is (or the decision), how wide do you make the problem space? For example, it is all well and good for our perl code to "do the right thing", but if the web server is wide open to attack, because access controls within the apache configuration is missing, or because of inadequate firewall settings, someone can access the physical machine, we are still in a bad way.

The argument that "we should not tell potiential script kiddies how to crack systems" is spurious. The crackers will know (or already know) the holes and exploits. I cannot see what additional damage pointing out these holes in a "Perl, CGI and Security" book would be. Sure, some other people may learn and try to use the expolits. But sites that are affected would probably be hit anyway. What it would result is is web administrators tightening up and removing any holes.

Security by Obscurity is no security - someone will find out, and the crackers have a pretty good method for informing each other of these holes.

I agree on the emphasis on CGI.pm, as well. The trouble with many of the "How to be a cool web developer in Perl / CGI in 7 days" type of books is they do not explain the underlying operations in CGI programming, and how HTTP actually works. Just as the rise in wysiwyg HTML "editors" has allowed anyone to have their own web site, without understanding what the processes are in delivering and rendering the resulting page, so many developers do not understand the environment.

A question - are you wanting to make your book (tutorials) server independant, or will you assume an Apache environment? If so, you may want to consider the impact of mod_perl, and the changes to programs that are required to ensure persistance does not cause strange problems (I still get caught occasionally).

Ken


In reply to RE: Perl, CGI, and Security by Maclir
in thread Perl, CGI, and Security by Ovid

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or How to display code and escape characters are good places to start.
Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others goofing around in the Monastery: (6)
As of 2024-03-19 09:21 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found