Home Accessibility Courses Twitter The Mouth Facebook Resources Site Map About Us Contact
 
Python and Tcl - public course schedule [here]
Private courses on your site - see [here]
Please ask about maintenance training for Perl, PHP, Lua, etc
 
Security considerations in programming - what do we teach?

Many moons ago, I wrote and presented a security course - and ever since that time I have been acutely aware of the need to consider security in every aspect of system design, program writing and maintenance. And these days - with many of our programs "exposed" to people to run from remote places via the web, with plenty of time to break in and malicious scripting too, the lesson to think secure all the time is more important rather than less so.

On the PHP techniques workshop that I ran last week, we ran a really "low gloss" exercise - I describe it as the most boring practical of the course, but it's also the most important as the specification of the exercise is to set up a page / web site that's robust to stand up to whatever I choose to throw at it, and it behaves nicely in that standing up too.

Our courses - be they PHP courses or Perl courses or any of the half dozen other languages we teach consider security at each stage of the course - and necessarily so, as a system is only as strong as its weakest link. And there are so many aspects to consider - have a look at specialist pages such as [this one] which goes though a lot of things you might not have thought of.

What "keywords" are we talking here - well, I have just been asked to make security "centre stage" on a Perl course and I listed ... Unit testing, testing, source code control and backups. Injection Attacks. Race Conditions. Cardinal Values. File Locking. Denial of Service. Forking and Zombies. Input validation. Environment Variables. Execs and evals. Buffer Overflows and memory leaks. Design for security. Best practise - naturally robust systems. Security reviewing other code. And those are the general aspects. Add to that the Perl specifics ... Tainting. Real, effective ID and suidperl. Cleaning up your path. Backtics, evals, execs and subshells. Command line switches. Unicode. Public, protected, private - not in Perl; OO Perl security issues. Regular expressions. Magic in opens, globs, and other wild cards. Temporary files, lock files and file locking. Database transactions. Networking matters, process forking and threads. Sorts that give varying results. Resource hogs and efficiency matters.

Realistically "Hello world" type programming examples on our courses aren't concerned with security - but within an hour or two the subject always comes us. I started a Python Course this morning and we were looking at robustness of code and the prevention of user attacks as early as coffee break time.
(written 2010-03-22, updated 2010-03-25)

 
Associated topics are indexed as below, or enter http://melksh.am/nnnn for individual articles
H117 - Security in PHP
  [4642] A small teaching program - demonstration of principles only - (2016-02-08)
  [3813] Injection Attacks - PHP, SQL, HTML, Javascript - and how to neutralise them - (2012-07-22)
  [3747] An easy way to comply with the new cookie law if your site is well designed - (2012-06-02)
  [3698] How to stop forms on other sites submitting to your scripts - (2012-04-15)
  [3210] Catchable fatal error in PHP ... How to catch, and alternative solutions such as JSON - (2011-03-22)
  [2939] Protecting your images from use out of context - (2010-08-29)
  [2628] An example of an injection attack using Javascript - (2010-02-08)
  [2025] Injection Attack if register_globals in on - PHP - (2009-02-04)
  [1779] Injection Attacks - avoiding them in your PHP - (2008-08-31)
  [1747] Who is watching you? - (2008-08-10)
  [1694] Defensive coding techniques in PHP? - (2008-07-02)
  [1679] PHP - Sanitised application principles for security and useability - (2008-06-16)
  [1542] Are nasty programs looking for security holes on your server? - (2008-02-17)
  [1482] A story about benchmarking PHP - (2007-12-23)
  [1396] Using PHP to upload images / Store on MySQL database - security questions - (2007-10-19)
  [1387] Error logging to file not browser in PHP - (2007-10-11)
  [1323] Easy handling of errors in PHP - (2007-08-27)
  [1086] Injection attacks - safeguard your PHP scripts - (2007-02-20)
  [1052] Learning to write secure, maintainable PHP - (2007-01-25)
  [947] What is an SQL injection attack? - (2006-11-27)
  [920] A lion in a cage - PHP - (2006-11-10)
  [426] Robust checking of data entered by users - (2005-08-27)
  [345] Spotting a denial of service attack - (2005-06-12)

P222 - Perl - Programming Efficiency and Style
  [4611] Hungarian, Camel, Snake and Kebab - variable naming conventions - (2016-01-03)
  [2657] Want to do a big batch edit? Nothing beats Perl! - (2010-03-01)
  [2399] Firefighting with Perl - (2009-09-07)
  [1181] Good Programming practise - where to initialise variables - (2007-05-09)
  [743] How to debug a Perl program - (2006-06-04)

P609 - Perl - Network Security
  [2238] Handling nasty characters - Perl, PHP, Python, Tcl, Lua - (2009-06-14)

P711 - An Introduction to Standards in Perl
  [4326] Learning to program - comments, documentation and test code - (2014-11-22)
  [3398] Perl - making best use of the flexibility, but also using good coding standards - (2011-08-19)
  [2875] A long day in Melksham ... - (2010-07-17)
  [2375] Designing your data structures for a robust Perl application - (2009-08-25)
  [1863] About dieing and exiting in Perl - (2008-11-01)
  [1853] Well structured coding in Perl - (2008-10-24)
  [1728] A short Perl example - (2008-07-30)
  [1555] Advanced Python, Perl, PHP and Tcl training courses / classes - (2008-02-25)
  [1395] Dont just convert to Perl - re-engineer! - (2007-10-18)
  [1345] Perl and Shell coding standards / costs of an IT project - (2007-09-11)
  [1221] Bathtubs and pecking birds - (2007-06-07)
  [1047] Maintainable code - some positive advice - (2007-01-21)
  [965] KISS - one action per statement please - Perl - (2006-12-05)
  [945] Code quality counts - (2006-11-26)
  [668] Python - block insets help with documentation - (2006-04-04)
  [242] Satisfaction of training - (2005-03-11)


Back to
A lovely spring afternoon
Previous and next
or
Horse's mouth home
Forward to
Can my dog eat potatoes? Doggie Dietary Research, and political sleaze!
Some other Articles
Flexible search and replace in Python
New brochures for the Melksham area
The World Company Register - is it another scam?
Can my dog eat potatoes? Doggie Dietary Research, and political sleaze!
Security considerations in programming - what do we teach?
A lovely spring afternoon
Freedom of Information - consideration for web site designers
Stairs
Exception handling in PHP
Car Parking in Melksham
4759 posts, page by page
Link to page ... 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96 at 50 posts per page


This is a page archived from The Horse's Mouth at http://www.wellho.net/horse/ - the diary and writings of Graham Ellis. Every attempt was made to provide current information at the time the page was written, but things do move forward in our business - new software releases, price changes, new techniques. Please check back via our main site for current courses, prices, versions, etc - any mention of a price in "The Horse's Mouth" cannot be taken as an offer to supply at that price.

Link to Ezine home page (for reading).
Link to Blogging home page (to add comments).

You can Add a comment or ranking to this page

© WELL HOUSE CONSULTANTS LTD., 2019: 404 The Spa • Melksham, Wiltshire • United Kingdom • SN12 6QL
PH: 01225 708225 • EMAIL: info@wellho.net • WEB: http://www.wellho.net • SKYPE: wellho

PAGE: http://www.wellho.net/mouth/2688_Sec ... each-.html • PAGE BUILT: Sat May 27 16:49:10 2017 • BUILD SYSTEM: WomanWithCat