http://www.perlmonks.org?node_id=157260


in reply to web site design, or lack thereof

Agreed, clueless companies sometimes hire clueless people to write code that impacts the bottom line. These people don't do the extensive and continual learning that is required. One senior ASP guy I know is relatively cluefull but hates reading (eek!). People base their ideas on the things they can see and security is usually not one of them. This is related to the discussions of insecure cut-and-paste scripts on the net.

I've done code review and evangelism but it doesn't end. Once I was asked to review someone's work for the cross-site scripting vulnerability which is good news, but most people do not understand the concept of building in security from the start, as you probably know.

I've often thought PM should have a well-organized section on security. Something more than the "CGI programming" page. It could include skeleton code, CPAN module reviews, and writeups on the issues and security philosophy. Maybe it could have a security issues checklist for clients to ask programmers to answer.

I think most monks figure out their own security strategies which is okay, this is Perl, but rolling your own is not a good strategy if you can't write the unit test. So what if each of us have to absorb a hundred megabytes a year just to stay alert. But new programmers? They often don't know anything about engineering or accepted practices. Or, they cross over from their real discipline. There's perlsec but it doesn't cover everything. We should at least point them to a book or something, maybe yours..

If we are trying to increase the number of Perl programmers maybe we should start with security. Something organized would improve security on the web I think. Type "Security" into the search box, you get a good thread but just a short one, you know? Advanced programmers could benefit too. For example, login code for CGI::Application with versions using and not using Apache auth modules, for starters.

What would you say to contributing to such a section?