[yapc] CERT Secure Coding Initiative Tackles Standard for Perl
Bruce Gray
bruce.gray at acm.org
Mon Jun 11 18:00:03 PDT 2012
On Jun 11, 2012, at 5:17 PM, Robert Blackwell wrote:
> My wife just alerted me to something interesting.
>
> CERT Secure Coding Initiative Tackles Standard for Perl
> http://www.sei.cmu.edu/newsitems/draft-perl-standard.cfm?wt.ac=hpFeature
>
> Is anyone at YAPC::NA involved?
I don't know of anyone here being directly involved.
However, at Perl Oasis 2012, Casey West presented a talk on a related
theme:
http://www.perloasis.info/opw2012/talk/3905
Perl::Critic for Security Audits
It's still common to have mission critical Perl CGI scripts from 2001
in production, like it or not. Often they're frozen and not kept up to
date. They keep doing the job, and there's a lot of merit to that. But
what about security concerns?
Cross Site Scripting (XSS) and Database SQL Injection attacks are all
too common ways for attackers to exploit vulnerabilities in your
software. If you have thousands of lines of legacy code to go through,
give these techniques a try to find and fix potential security holes.
This talk will walk you through the implementation of two
Perl::Critic policies designed to analyze and detect potential
security vulnerabilities. Static analysis can help you determine the
scope of work involved in closing security holes in your code, and err
on the side of false positives.
You will learn some advanced techniques for using PPI to analyze your
code, and Perl::Critic to easily generate reports for estimation and
analysis by your team.
At the end of the talk these security oriented policies will be
uploaded to CPAN for your general use, and you will understand enough
of how they're built to adapt them to your own internal frameworks and
interfaces.
--
Hope this helps,
Bruce Gray (Util of PerlMonks)
More information about the yapc
mailing list