http://www.perlmonks.org?node_id=1144538


in reply to Re: Crash-Test Dummies: A Few Thoughts on Website Testing
in thread Crash-Test Dummies: A Few Thoughts on Website Testing

Yes. You point out some bad, terrible practices that happen in the wild at either hopelessly amateur shops or shops that grew too fast from the naïve age of CGI and have escaped being hacked by virtue of being too small or too pointless to be worth the trouble; or not knowing they have been hacked.

The list of responses and practical fixes to the issues would fill an entire website, which you already cited: OWASP. There is NO package or module or framework or single set of best practices that solves for all this and even if there were it would change constantly. You just have to know what you're doing and you have to keep up.

Every dev worth her salt knew the context sensitivity in CGI->param so used it without introducing exploits. Mojolicious cookies are slightly more secure out of the box than other current frameworks. Crypt::Eksblowfish::Bcrypt passwords are better by far than Digest::SHA but new chips and algorithms have already made it weaker than it was. It's a laundry list full of—Yeah, so what? You need to know that—and like a doctor who doesn't read medical journals, a dev who doesn't keep up with the art isn't safe or reliable.

Imagine posting on a biology forum: Mobility in organisms? Let's hear your ideas. It's a sawed-off shotgun fired into the air. Picking one security issue or an actual, open problem you're facing with some GODDAMNED WORKING CODE would be more likely to fruit.