Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris

Re: Secrets & Lies & Perl

by clemburg (Curate)
on Sep 04, 2001 at 18:47 UTC ( #110046=note: print w/replies, xml ) Need Help??

in reply to Secrets & Lies & Perl

What else should I be watching out for? And as a general practice, how much bullet-proofing do programmers put into code before they say that enough is enough. I mean, theoretically I could check every variable all the time to make sure it is about what I expect it to be like, I could wrap almost everything in evals to trap errors, I could go on. But how do you draw the line?

A rational way to "draw the line" would be to do a risk assessment and cost/benefit analysis on your code. A good introductory discussion is provided in Chapter 2 "Policies and Guidelines" of Practical Unix and Internet Security by Simon Garfinkel and Gene Spafford.

Also, if I recall correctly, Mr Schneier himself presents an approach to threat modeling and risk assessment in the book you mention.

To actually "draw the line", you will have to think and decide for yourself. No magic bullets here. And it will probably not be a really "rational" decision, either.

Christian Lemburg
Brainbench MVP for Perl

Replies are listed 'Best First'.
(redmist) Re: Re: Secrets & Lies & Perl
by redmist (Deacon) on Sep 04, 2001 at 21:55 UTC
    A rational way to "draw the line" would be to do a risk assessment and cost/benefit analysis on your code.

    This is really the only sane way to manage security. Even though there is no such thing as real, absolute security, there is such thing as more secure. This increase in security has a neccessary increase in time and manpower related to it. You just have to look at what kind of data you are handling, the sensitivity of the data, how much you care, how much time and money you have, and countless other factors, and then make a security model for yourself.

    The cost of superior security is eternal vigilance.

    Purple Monkey Dishwasher

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://110046]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others scrutinizing the Monastery: (5)
As of 2023-02-06 10:12 GMT
Find Nodes?
    Voting Booth?
    I prefer not to run the latest version of Perl because:

    Results (33 votes). Check out past polls.