develooper Front page | perl.perl5.porters | Postings from December 2012

Re: CERT Perl Secure Coding Standard

Thread Previous | Thread Next
From:
Alexander Hartmaier
Date:
December 10, 2012 14:08
Subject:
Re: CERT Perl Secure Coding Standard
Message ID:
CAB49QrYmw1O4NFtgfW5Onnr6_Z-NH1gsZ+mMxQAabb+SWVPPmA@mail.gmail.com
On Sat, Dec 8, 2012 at 9:19 AM, David Nicol <davidnicol@gmail.com> wrote:

> On Fri, Dec 7, 2012 at 8:41 AM, demerphq <demerphq@gmail.com> wrote:
> > Anybody seen this?
> >
> > http://blog.sei.cmu.edu/post.cfm/the-cert-perl-secure-coding-standard
>
> I'd like to take this opportunity to promote Tie::Function as an
> elegant way to prevent all sorts of quoting injections. Url-encoding,
> HTML Entitization, SQL quoting, and SQL identifier quoting can all
> have their own hashes tied to Tie::Function, and then auditing against
> injection attacks becomes very straightforward, and no data need be
> quoted prior to use.
>

I wonder why the author has the impression "While the Perl community is
interested in improving the language, the focus on security has
historically tended to take a back seat to other priorities, such as new
features and improved performance."?
Looking at the taint mode and hash alglorith discussions I'd say that p5p
is very concerned about keeping security related features alive and fixing
security related bugs asap.
Can someone try to contact the author to discuss his opinion before it
spreads?

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About