WebApp Sec mailing list archives
Re: Secure Coding for Newbies?
From: "Jeff Williams @ Aspect" <jeff.williams () aspectsecurity com>
Date: Mon, 28 Oct 2002 11:17:38 -0500
I absolutely agree with Kevin. Read "A Study in Scarlet" if you don't believe. http://www.securereality.com.au/archives/studyinscarlet.txt. Things like strong typing, lack of pointers, separation of code and data, and modularity don't guarantee security, but it's damn hard to build something secure without them. So choose an environment that makes it as hard as possible to do things wrong. A nice discussion of securing the PHP environment as well as the code itself is in this Earthweb article http://softwaredev.earthweb.com/script/article/0,,12063_918141,00.html. There's also another short guide here http://www.whip3.net/whitepapers/phpguide.php. You might find the Perl information here http://www.perldoc.com/perl5.6/pod/perlsec.html helpful. Good luck, --Jeff Jeff Williams jeff.williams () aspectsecurity com Aspect Security, Inc. http://www.aspectsecurity.com ----- Original Message ----- From: Kevin Spett To: joeuser () blazemail com ; webappsec () securityfocus com Sent: Monday, October 28, 2002 10:31 AM Subject: Re: Secure Coding for Newbies? Well, to start with, I think Perl is a bad language for web applications, and I think PHP is truly terrible. There are serious design flaws in PHP (such as giving the client access to all variables) and that coding in it securely is annoying enough to make it not worthwhile. In addition, it looks bad. You've got HTML, JavaScript, application code and database code all in a single document, which is no fun at all. Using JSP/XSLT, servlets and Java beans is a much nicer solution from many angles. But hey, if you want an easy-to-read guide to secure PHP programming, check this out: http://www.zend.com/zend/art/art-oertli.php Kevin Spett SPI Labs http://www.spidynamics.com/ ----- Original Message ----- From: "Joe User" <joeuser () blazemail com> To: <webappsec () securityfocus com> Sent: Monday, October 28, 2002 6:03 AM Subject: Secure Coding for Newbies?
Hi, I'm a beginner in PHP and Perl coding and would like a little help!
I've written a few small scripts for personal use, but I want to start writing scripts that will be used by / open to the public, and want to write them with security in the forefront.
I'm having a hard time finding specific, concrete examples of common
webapp security problems and examples of how to avoid them. Many sites say "validate user input" or "avoid path traversal" or "beware of include files" but don't give good examples of *how* I'm supposed to do these things!
I guess I'm looking for something along the lines of "Webapp Security
for Dummies" as a building block. Can anybody point to useful resources for this? The OWASP guide seems to be more of a guide for competent coders who already know how to avoid the problems listed. :)
Thanks! _____________________________________________________________ Fight the power! BlazeMail.com _____________________________________________________________ Select your own custom email address for FREE! Get you () yourchoice com
w/No Ads, 6MB, POP & more! http://www.everyone.net/selectmail?campaign=tag
Current thread:
- Secure Coding for Newbies? Joe User (Oct 28)
- Re: Secure Coding for Newbies? Kevin Spett (Oct 28)
- Re: Secure Coding for Newbies? Jeff Williams @ Aspect (Oct 28)
- Re: Secure Coding for Newbies? Michael R . Bagnall (Oct 28)
- Re: Secure Coding for Newbies? Alex Russell (Oct 28)
- Re: Secure Coding for Newbies? security (Oct 28)
- Re: Secure Coding for Newbies? Dave Aitel (Oct 28)
- Re: Secure Coding for Newbies? Dan Cuthbert (Oct 28)
- Re: Secure Coding for Newbies? zeno (Oct 28)
- Re: Secure Coding for Newbies? Kevin Spett (Oct 28)