I'm putting together some notes for a dev team on how to write secure Perl code - especially taking into account the current OWASP top 10 web application vulnerabilities. For cross-site scripting I've included information on ensuring that all output to the browser is checked and escaped where necessary, but I'm looking for more automated mechanisms that would mean a developer doesn't have to think about every output statement and, potentially, miss one. Perl's 'taint' function sounds like it should be a help because it distrusts all user input, but it doesn't complain on tainted data being output to the browser. Apart from checking all output statements individually (probably by calling a generic sanitizing function) does anyone have any ideas on how Perl can help with this with existing libraries or techniques?
-
Good question, but I really think it should be on stack overflow or maybe security.se.Jan Hudec– Jan Hudec2013年09月02日 05:43:18 +00:00Commented Sep 2, 2013 at 5:43
-
I'm specifically interested in how developers are writing programmatic solutions to this - i.e. what code might look like or consider. I agree it's partly about process, but it's more about hands-on development techniques I believe.David Scholefield– David Scholefield2013年09月02日 10:00:12 +00:00Commented Sep 2, 2013 at 10:00
1 Answer 1
You might want to take a look at the article CERT Secure Coding Initiative Tackles Standard for Perl, the slides about Perl::Critic for Security Audits, and Perl::Critic in general.
-
would you mind explaining what each of these resources does and what they're good for? "Link-only answers" are not quite welcome at Stack Exchangegnat– gnat2013年09月02日 07:28:43 +00:00Commented Sep 2, 2013 at 7:28