Beefy Boxes and Bandwidth Generously Provided by pair Networks
Don't ask to ask, just ask

comment on

( #3333=superdoc: print w/replies, xml ) Need Help??

Not only is security not layered in from the start, and it's not taught to folks, I think there is a set of developers who don't think it's as important as it is. This is probably due to lack of training, because I don't think folks want to do a bad job, if they KNOW they are doing a bad job.

I view CGI security like nutrition education related to health care in the US. If everyone were taught it and understood it, from the very beginning, many problems would be avoided.

I did a code review for a woman who built a like script. She accepted "to" addresses straight from submitted form elements with no "validity" checking (like making sure only certain addresses could be mailed to, or better yet, taking email addresses right off the page and integrating them into her app), making her script (which she distributes on her website, BTW) ripe for hijacking by spammers. When I pointed this out to her, her response was "No one is going to bother to figure it out. Besides, I want my scripts to be usable by average humans."

Her point being that security by obscurity was enough, and that "security" ne "usability". My reply back was if you're doing something, you should do it RIGHT, and not protecting your users is a BAD THING. At least give them the option to have a secure script. If someone is going to install a freakin' script, they can make a list of valid email addresses (or maybe they shouldn't be using CGI scripts. . .) Anyway, she wanted to work collaboratively on a project with me. . .I think I'll pass on this one.

-Any sufficiently advanced technology is
indistinguishable from doubletalk.

In reply to Re: •web site design, or lack thereof by Hero Zzyzzx
in thread web site design, or lack thereof by merlyn

Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":

  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?

    What's my password?
    Create A New User
    and the web crawler heard nothing...

    How do I use this? | Other CB clients
    Other Users?
    Others studying the Monastery: (5)
    As of 2020-10-21 08:16 GMT
    Find Nodes?
      Voting Booth?
      My favourite web site is:

      Results (212 votes). Check out past polls.