Re: Secure Coding for Newbies?

["Jeff Williams @ Aspect" <jeff.williams () aspectsecurity com>]

I absolutely agree with Kevin. Read "A Study in Scarlet" if you don't
believe.  http://www.securereality.com.au/archives/studyinscarlet.txt.
Things like strong typing, lack of pointers, separation of code and data,
and modularity don't guarantee security, but it's damn hard to build
something secure without them. So choose an environment that makes it as
hard as possible to do things wrong.

A nice discussion of securing the PHP environment as well as the code
itself is in this Earthweb article
http://softwaredev.earthweb.com/script/article/0,,12063_918141,00.html.
There's also another short guide here
http://www.whip3.net/whitepapers/phpguide.php. You might find the Perl
information here http://www.perldoc.com/perl5.6/pod/perlsec.html helpful.

Good luck,

--Jeff

Jeff Williams
jeff.williams () aspectsecurity com
Aspect Security, Inc.
http://www.aspectsecurity.com



----- Original Message -----
From: Kevin Spett
To: joeuser () blazemail com ; webappsec () securityfocus com
Sent: Monday, October 28, 2002 10:31 AM
Subject: Re: Secure Coding for Newbies?


Well, to start with, I think Perl is a bad language for web applications,
and I think PHP is truly terrible.  There are serious design flaws in PHP
(such as giving the client access to all variables) and that coding in it
securely is annoying enough to make it not worthwhile.  In addition, it
looks bad.  You've got HTML, JavaScript, application code and database
code
all in a single document, which is no fun at all.  Using JSP/XSLT,
servlets
and Java beans is a much nicer solution from many angles.

But hey, if you want an easy-to-read guide to secure PHP programming,
check
this out: http://www.zend.com/zend/art/art-oertli.php



Kevin Spett
SPI Labs
http://www.spidynamics.com/

----- Original Message -----
From: "Joe User" <joeuser () blazemail com>
To: <webappsec () securityfocus com>
Sent: Monday, October 28, 2002 6:03 AM
Subject: Secure Coding for Newbies?


> Hi,
>
> I'm a beginner in PHP and Perl coding and would like a little help!
I've
written a few small scripts for personal use, but I want to start writing
scripts that will be used by / open to the public, and want to write them
with security in the forefront.
> I'm having a hard time finding specific, concrete examples of common
webapp security problems and examples of how to avoid them.  Many sites
say
"validate user input" or "avoid path traversal" or "beware of include
files"
but don't give good examples of *how* I'm supposed to do these things!
> I guess I'm looking for something along the lines of "Webapp Security
for
Dummies" as a building block.  Can anybody point to useful resources for
this?  The OWASP guide seems to be more of a guide for competent coders
who
already know how to avoid the problems listed.  :)
> Thanks!
>
> _____________________________________________________________
> Fight the power!  BlazeMail.com
>
> _____________________________________________________________
> Select your own custom email address for FREE! Get you () yourchoice com
w/No
Ads, 6MB, POP & more! http://www.everyone.net/selectmail?campaign=tag
>