You don’t really need (CGI) security anyway!

Presented as a lightning talk at YAPC::Europe 2.0.01 03-Aug-2001
 

Disclaimer:- This presentation is not meant to be taken seriously. A lot has been lost in the conversion of what was more like 'stand-up with slides' to HTML only. No offence was intended by any of the comments and this advice is not meant to be followed.

Popular misconceptions about security

• Security is your responsibility.
• If your system is compromised it is the systems administrator who gets the blame, therefore it must be the sysadmin's responsibility. If the sysadmin were doing his job properly he should be staying after hours to check through your work.
• Security is more important than functionality.
• Yeah right!
• "Hello World" is secure, it's easy to be secure if you're not actually doing anything.
• Your site is under threat from hackers.
• Wrong again, see next point.

The most important thing to remember

• The internet is a very, very big place and it’s growing all the time.
• Your one site is just one of millions out there.
• The chances of a hacker, let alone a competent hacker finding your site is very, very small.
• All of this means that in short you're safe anyway so worrying about security is a waste of time.

Writing Secure Code

• You could write it all yourself deducing everything from first principles or …
• You could use tried and tested code written by an expert …
• Matt Wright - Security Guru
• What this man doesn’t know isn’t worth knowing.
• As recommended by the best industry sources including Gerald Newton of electrician.com

General Tips

• Make your scripts portable - put the Perl interpreter in the cgi-bin.
• This allows you to have the same shebang line no matter what type of server your script is running on. It also makes your script just a few characters shorter which improves efficiency.
• Give your process enough permission to do what you want.
• Nothing is more annoying than having a script die due to permissions issues, so right from the word go, give your script enough permission for it to do what you want.
• On the whole Root seems to work well for this (Administrator if you're running on NT).
• Make your scripts flexible - you never know what uses you’ll find for them further down the line.
• Adding redundant extra functionality will enable you to quickly adapt your script to be used for other tasks should that be required at a later date.

Testing

• Testing eats into your development time ...
• So if you're a contractor don’t bother, that’s what the warranty and installation period is for.
• This way the customer tests the parts of the code that are important to him and you don't have to spend any time checking the parts which don't get used.
• Peer review is a good alternative to testing.

Peer Review

• Post your code to a friendly internet forum and ask for advice. Remember to post the actual code or they won’t be able to help out as they'll be looking at it out of context.

• If nobody posts anything saying your script is insecure that means people have checked through it and not found anything and we're ready for stage 2.

Peer Review Stage 2

• Go to a less friendly internet forum and give them the address of your page.

• Not only will this give your site's security a good work out, as a bonus this should increase your hits for that week and you may even get some new customers out of it.

Obscurity is Job Security

• Protecting your code from snoopers (including your co-workers) can be difficult.
• Perl provides many neat features which allow you to write unbelievably obfuscated code, but that’s hard.
• For all those who want the same effect with little effort use Acme::Buffy.
• Simply download the Acme::Buffy module from CPAN and insert use Acme::Buffy at the top of all your scripts.
• Our sample Hello World script like this:-

• Becomes:-

• Not only does this protect your script from snoopers but it's now Buffy too.

With Thanks to ...

• This talk was the product of the insanity of more than one mind and I would like to thank the following:-
• All the folks on comp.infosystems.www.authoring.cgi
• Randal Schwartz
• Dave L
• Revjack
• … and those who wish to remain anonymous.