in reply to Essential CGI Security Practices

Good list, to which I would add:

Peer Review - Apply several pairs of competent eyeballs to the code. A skilled colleague, reading the code with a "how would I break this" hat on is a great way to uncover subtle problems.

Data Security - Keep sensitive, missions critical data off of the web server box, especially if you're dealing with credit cards. Encryption isn't always enough.

Replies are listed 'Best First'.
Re: Re: Essential CGI Security Practices
by Ryszard (Priest) on Feb 02, 2002 at 22:55 UTC
    I'd like to add Subsection 1 to Peer Review. This section would be called QA.

    QA - Put your code into a replication of your production environment and get a dedicated QA person to go thru' your application as if it was live on the web. A skilled QA person is a seriously good weapon to have in your arsonal.

    While youre there you may as well set up a dedicated UAT to test your application as well. Keep in mind you shouldnt tell your QA 'guy' about how or what your app does as this may influence the nature of their testing.

      As much as I hate working with QA; partially because where I worked they often served as HCI/UI/HF, (not so) clearly when something is in testing is not the best time to redesign it; I'll have to ++.

      perl -pe "s/\b;([st])/'\1/mg"