|
Training, Open Source Computer Languages |
| Home | Accessibility | Courses | Diary | The Mouth | Forum | Resources | Site Map | About Us | Contact |
|
Security considerations in programming - what do we teach?
Many moons ago, I wrote and presented a security course - and ever since that time I have been acutely aware of the need to consider security in every aspect of system design, program writing and maintenance. And these days - with many of our programs "exposed" to people to run from remote places via the web, with plenty of time to break in and malicious scripting too, the lesson to think secure all the time is more important rather than less so. On the PHP techniques workshop that I ran last week, we ran a really "low gloss" exercise - I describe it as the most boring practical of the course, but it's also the most important as the specification of the exercise is to set up a page / web site that's robust to stand up to whatever I choose to throw at it, and it behaves nicely in that standing up too. Our courses - be they PHP courses or Perl courses or any of the half dozen other languages we teach consider security at each stage of the course - and necessarily so, as a system is only as strong as its weakest link. And there are so many aspects to consider - have a look at specialist pages such as [this one] which goes though a lot of things you might not have thought of. What "keywords" are we talking here - well, I have just been asked to make security "centre stage" on a Perl course and I listed ... Unit testing, testing, source code control and backups. Injection Attacks. Race Conditions. Cardinal Values. File Locking. Denial of Service. Forking and Zombies. Input validation. Environment Variables. Execs and evals. Buffer Overflows and memory leaks. Design for security. Best practise - naturally robust systems. Security reviewing other code. And those are the general aspects. Add to that the Perl specifics ... Tainting. Real, effective ID and suidperl. Cleaning up your path. Backtics, evals, execs and subshells. Command line switches. Unicode. Public, protected, private - not in Perl; OO Perl security issues. Regular expressions. Magic in opens, globs, and other wild cards. Temporary files, lock files and file locking. Database transactions. Networking matters, process forking and threads. Sorts that give varying results. Resource hogs and efficiency matters. Realistically "Hello world" type programming examples on our courses aren't concerned with security - but within an hour or two the subject always comes us. I started a Python Course this morning and we were looking at robustness of code and the prevention of user attacks as early as coffee break time. (written 2010-03-22, updated 2010-03-25) 2d7f Associated topics are indexed under H117 - Security in PHP[3813] Injection Attacks - PHP, SQL, HTML, Javascript - and how to neutralise them - (2012-07-22) [3747] An easy way to comply with the new cookie law if your site is well designed - (2012-06-02) [3698] How to stop forms on other sites submitting to your scripts - (2012-04-15) [3210] Catchable fatal error in PHP ... How to catch, and alternative solutions such as JSON - (2011-03-22) [2939] Protecting your images from use out of context - (2010-08-29) [2628] An example of an injection attack using Javascript - (2010-02-08) [2025] Injection Attack if register_globals in on - PHP - (2009-02-04) [1779] Injection Attacks - avoiding them in your PHP - (2008-08-31) [1747] Who is watching you? - (2008-08-10) [1694] Defensive coding techniques in PHP? - (2008-07-02) [1679] PHP - Sanitised application principles for security and useability - (2008-06-16) [1542] Are nasty programs looking for security holes on your server? - (2008-02-17) [1482] A story about benchmarking PHP - (2007-12-23) [1396] Using PHP to upload images / Store on MySQL database - security questions - (2007-10-19) [1387] Error logging to file not browser in PHP - (2007-10-11) [1323] Easy handling of errors in PHP - (2007-08-27) [1086] Injection attacks - safeguard your PHP scripts - (2007-02-20) [1052] Learning to write secure, maintainable PHP - (2007-01-25) [947] What is an SQL injection attack? - (2006-11-27) [920] A lion in a cage - PHP - (2006-11-10) [426] Robust checking of data entered by users - (2005-08-27) [345] Spotting a denial of service attack - (2005-06-12) P609 - Perl - Network Security [2238] Handling nasty characters - Perl, PHP, Python, Tcl, Lua - (2009-06-14) P222 - Perl - Programming Efficiency and Style [2657] Want to do a big batch edit? Nothing beats Perl! - (2010-03-01) [2399] Firefighting with Perl - (2009-09-07) [1181] Good Programming practise - where to initialise variables - (2007-05-09) [743] How to debug a Perl program - (2006-06-04) P711 - An Introduction to Standards in Perl [3398] Perl - making best use of the flexibility, but also using good coding standards - (2011-08-19) [2875] A long day in Melksham ... - (2010-07-17) [2375] Designing your data structures for a robust Perl application - (2009-08-25) [1863] About dieing and exiting in Perl - (2008-11-01) [1853] Well structured coding in Perl - (2008-10-24) [1728] A short Perl example - (2008-07-30) [1555] Advanced Python, Perl, PHP and Tcl training courses / classes - (2008-02-25) [1395] Dont just convert to Perl - re-engineer! - (2007-10-18) [1345] Perl and Shell coding standards / costs of an IT project - (2007-09-11) [1221] Bathtubs and pecking birds - (2007-06-07) [1047] Maintainable code - some positive advice - (2007-01-21) [965] KISS - one action per statement please - Perl - (2006-12-05) [945] Code quality counts - (2006-11-26) [668] Python - block insets help with documentation - (2006-04-04) [242] Satisfaction of training - (2005-03-11)
Some other Articles
Flexible search and replace in PythonNew brochures for the Melksham area The World Company Register - is it another scam? Can my dog eat potatoes? Doggie Dietary Research, and political sleaze! Security considerations in programming - what do we teach? A lovely spring afternoon Freedom of Information - consideration for web site designers Stairs Exception handling in PHP Car Parking in Melksham |
4084 posts, page by page
Link to page ... 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82 at 50 posts per page45a8
This is a page archived from The Horse's Mouth at http://www.wellho.net/horse/ - the diary and writings of Graham Ellis. Every attempt was made to provide current information at the time the page was written, but things do move forward in our business - new software releases, price changes, new techniques. Please check back via our main site for current courses, prices, versions, etc - any mention of a price in "The Horse's Mouth" cannot be taken as an offer to supply at that price.
Link to Ezine home page (for reading).
Link to Blogging home page (to add comments).
PH: 01144 1225 708225 • FAX: 01144 1225 899360 • EMAIL: info@wellho.net • WEB: http://www.wellho.net • SKYPE: wellho
PAGE: http://www.wellho.net/mouth/2688_Sec ... each-.html • PAGE BUILT: Sat Feb 23 12:39:13 2013 • BUILD SYSTEM: wizard