Many moons ago, I wrote and presented a security course - and ever since that time I have been acutely aware of the need to consider security in every aspect of system design, program writing and maintenance. And these days - with many of our programs "exposed" to people to run from remote places via the web, with plenty of time to break in and malicious scripting too, the lesson to
think secure all the time is more important rather than less so.
On the
PHP techniques workshop that I ran last week, we ran a really "low gloss" exercise - I describe it as the most boring practical of the course, but it's also the most important as the specification of the exercise is to set up a page / web site that's robust to stand up to whatever I choose to throw at it, and it behaves nicely in that standing up too.
Our courses - be they
PHP courses or
Perl courses or any of the half dozen other languages we teach consider security
at each stage of the course - and necessarily so, as a system is only as strong as its weakest link. And there are so many aspects to consider - have a look at specialist pages such as
[this one] which goes though a lot of things you might not have thought of.
What "keywords" are we talking here - well, I have just been asked to make security "centre stage" on a Perl course and I listed ... Unit testing, testing, source code control and backups. Injection Attacks. Race Conditions. Cardinal Values. File Locking. Denial of Service. Forking and Zombies. Input validation. Environment Variables. Execs and evals. Buffer Overflows and memory leaks. Design for security. Best practise - naturally robust systems. Security reviewing other code.
And those are the general aspects. Add to that the Perl specifics ... Tainting. Real, effective ID and suidperl. Cleaning up your path. Backtics, evals, execs and subshells. Command line switches. Unicode. Public, protected, private - not in Perl; OO Perl security issues. Regular expressions. Magic in opens, globs, and other wild cards. Temporary files, lock files and file locking. Database transactions. Networking matters, process forking and threads. Sorts that give varying results. Resource hogs and efficiency matters.
Realistically "Hello world" type programming examples on our courses aren't concerned with security - but within an hour or two the subject always comes us. I started a
Python Course this morning and we were looking at robustness of code and the prevention of user attacks as early as coffee break time.
(written 2010-03-22, updated 2010-03-25)
Associated topics are indexed as below, or enter http://melksh.am/nnnn for individual articles
P711 - An Introduction to Standards in Perl [242] Satisfaction of training - (2005-03-11)
[668] Python - block insets help with documentation - (2006-04-04)
[743] How to debug a Perl program - (2006-06-04)
[945] Code quality counts - (2006-11-26)
[965] KISS - one action per statement please - Perl - (2006-12-05)
[1047] Maintainable code - some positive advice - (2007-01-21)
[1221] Bathtubs and pecking birds - (2007-06-07)
[1345] Perl and Shell coding standards / costs of an IT project - (2007-09-11)
[1395] Dont just convert to Perl - re-engineer! - (2007-10-18)
[1555] Advanced Python, Perl, PHP and Tcl training courses / classes - (2008-02-25)
[1728] A short Perl example - (2008-07-30)
[1853] Well structured coding in Perl - (2008-10-24)
[1863] About dieing and exiting in Perl - (2008-11-01)
[2375] Designing your data structures for a robust Perl application - (2009-08-25)
[2875] A long day in Melksham ... - (2010-07-17)
[3398] Perl - making best use of the flexibility, but also using good coding standards - (2011-08-19)
[4326] Learning to program - comments, documentation and test code - (2014-11-22)
P609 - Perl - Network Security [426] Robust checking of data entered by users - (2005-08-27)
[2238] Handling nasty characters - Perl, PHP, Python, Tcl, Lua - (2009-06-14)
P222 - Perl - Programming Efficiency and Style [1181] Good Programming practise - where to initialise variables - (2007-05-09)
[2399] Firefighting with Perl - (2009-09-07)
[2657] Want to do a big batch edit? Nothing beats Perl! - (2010-03-01)
[4611] Hungarian, Camel, Snake and Kebab - variable naming conventions - (2016-01-03)
H117 - Security in PHP [345] Spotting a denial of service attack - (2005-06-12)
[920] A lion in a cage - PHP - (2006-11-10)
[947] What is an SQL injection attack? - (2006-11-27)
[1052] Learning to write secure, maintainable PHP - (2007-01-25)
[1086] Injection attacks - safeguard your PHP scripts - (2007-02-20)
[1323] Easy handling of errors in PHP - (2007-08-27)
[1387] Error logging to file not browser in PHP - (2007-10-11)
[1396] Using PHP to upload images / Store on MySQL database - security questions - (2007-10-19)
[1482] A story about benchmarking PHP - (2007-12-23)
[1542] Are nasty programs looking for security holes on your server? - (2008-02-17)
[1679] PHP - Sanitised application principles for security and useability - (2008-06-16)
[1694] Defensive coding techniques in PHP? - (2008-07-02)
[1747] Who is watching you? - (2008-08-10)
[1779] Injection Attacks - avoiding them in your PHP - (2008-08-31)
[2025] Injection Attack if register_globals in on - PHP - (2009-02-04)
[2628] An example of an injection attack using Javascript - (2010-02-08)
[2939] Protecting your images from use out of context - (2010-08-29)
[3210] Catchable fatal error in PHP ... How to catch, and alternative solutions such as JSON - (2011-03-22)
[3698] How to stop forms on other sites submitting to your scripts - (2012-04-15)
[3747] An easy way to comply with the new cookie law if your site is well designed - (2012-06-02)
[3813] Injection Attacks - PHP, SQL, HTML, Javascript - and how to neutralise them - (2012-07-22)
[4642] A small teaching program - demonstration of principles only - (2016-02-08)
Some other Articles
Flexible search and replace in PythonNew brochures for the Melksham areaThe World Company Register - is it another scam?Can my dog eat potatoes? Doggie Dietary Research, and political sleaze!Security considerations in programming - what do we teach?A lovely spring afternoonFreedom of Information - consideration for web site designersStairsException handling in PHPCar Parking in Melksham