[yapc] CERT Secure Coding Initiative Tackles Standard for Perl

Bruce Gray bruce.gray at acm.org
Mon Jun 11 18:00:03 PDT 2012


On Jun 11, 2012, at 5:17 PM, Robert Blackwell wrote:

> My wife just alerted me to something interesting.
>
> CERT Secure Coding Initiative Tackles Standard for Perl
> http://www.sei.cmu.edu/newsitems/draft-perl-standard.cfm?wt.ac=hpFeature
>
> Is anyone at YAPC::NA involved?


I don't know of anyone here being directly involved.

However, at Perl Oasis 2012, Casey West presented a talk on a related  
theme:
	http://www.perloasis.info/opw2012/talk/3905
	Perl::Critic for Security Audits

	It's still common to have mission critical Perl CGI scripts from 2001  
in production, like it or not. Often they're frozen and not kept up to  
date. They keep doing the job, and there's a lot of merit to that. But  
what about security concerns?

	Cross Site Scripting (XSS) and Database SQL Injection attacks are all  
too common ways for attackers to exploit vulnerabilities in your  
software. If you have thousands of lines of legacy code to go through,  
give these techniques a try to find and fix potential security holes.

	This talk will walk you through the implementation of two  
Perl::Critic policies designed to analyze and detect potential  
security vulnerabilities. Static analysis can help you determine the  
scope of work involved in closing security holes in your code, and err  
on the side of false positives.

	You will learn some advanced techniques for using PPI to analyze your  
code, and Perl::Critic to easily generate reports for estimation and  
analysis by your team.

	At the end of the talk these security oriented policies will be  
uploaded to CPAN for your general use, and you will understand enough  
of how they're built to adapt them to your own internal frameworks and  
interfaces.

-- 
Hope this helps,
Bruce Gray (Util of PerlMonks)



More information about the yapc mailing list