Re: Ten least secure programs

From: Jay D. Dyson (jdyson_at_treachery.net)
Date: 07/02/03 

Date: Wed, 2 Jul 2003 10:06:35 -0700 (PDT)
To: Security-Basics List <security-basics@securityfocus.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 30 Jun 2003, Chris Berry wrote:

> >9) CGI (on a webserver, that is)
>
> Hmm, CGI is a bit tricky, but I don't think the underlying design is the
> problem, mostly implementation, which is why I didn't put it on this
> list. Somebody correct me if I'm wrong.

        CGI is one of those iffy things. If the program is written in C,
shell or some other language, then the risks inherent in those languages
(buffer overflows, arbitrary command execution, et al) must be factored
into the security equation.

        If the program is written in PERL, there are a number of built-in
security safeguards that can be activated to make the script more safe.
For starters, PERL has the 'taint' flag (-T) that will do some sanity
checking on data input and will abort the program if it is asked to handle
input that hasn't been sanitized.

        But in the final analysis, it's not the language used that dooms
you; it's the security practices (or rather the lack thereof) of the
programmer who wrote the CGI script.

- -Jay

   ( ( _______
   )) )) .-"There's always time for a good cup of coffee"-. >====<--.
 C|~~|C|~~| (>----- Jay D. Dyson -- jdyson@treachery.net -----<) | = |-'
  `--' `--' `Red meat isn't bad for you, fuzzy green meat is.' `------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQE/AxEfNlg1oZSC9mkRApJ0AJsEAN3HkVdKRqdrda6xAZhKP4N1owCcD9Hp
+0MSMmnQp+xO1K97wsPsW5Y=
=ACC9
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------

Relevant Pages

  • Re: Ten least secure programs
    ... CGI isn't a [program and isn't insecure. ... And, like jay mentioned, Perl ... Server administration, security, programming, consulting. ... > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ...
    (Security-Basics)
  • RE: How to obtain a yahoo username off a computer
    ... "As long as technology exists, security or lack there of, will exist" ... > this is worst case scenario, but isn't paranoia part of the game? ... Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ...
    (Security-Basics)
  • RE: NTFS Permissions (was Share Permissions)
    ... File-level security usually provides more efficient protection than ... NTFS Permissions ... The Gartner Group just put Neoteris in the top of its Magic ... and see how you can get plug-n-play secure remote access ...
    (Security-Basics)
  • RE: VA vs PT tool
    ... This may sound like the long way of doing things and may be just my philosophy on VA & PT but, I've seen Security people get complacent about "real" security. ... However, a VA tool is limited, in that it only stops at the vulnerability. ... Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ... while InStat has confirmed Neoteris as the leader in marketshare. ...
    (Security-Basics)
  • Re: Check for Confidential Content
    ... NetIntelligence from Iomart is a security ... like sensitive documents or unlicensed software accross your network. ... Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ...
    (Security-Basics)