From: shawn wilson > On Oct 3, 2011 8:48 AM, "Bob McConnell" <r...@cbord.com> wrote: >> >> From: shawn wilson >> >> > On Sun, Oct 2, 2011 at 02:32, Shlomi Fish <shlo...@shlomifish.org> wrote: >> >> On Sun, 2 Oct 2011 00:07:34 +0300 >> >> "Octavian Rasnita" <orasn...@gmail.com> wrote: >> >> >> >>> Hi, >> >>> >> >>> Does anyone have some suggestions for what restrictions should be used on a site to be secure? >> >>> Do you know some sites where I can get information about this subject? >> >>> Most of the text I read said that the variables should be filtered before inserting them in DB, but never gave details for what should be filtered. >> >>> >> >> >> >> Well, the SQL injections that you mention are one vector of attack against >> >> web-sites, but are not the only one. See: >> >> >> >> * http://shlomif-tech.livejournal.com/35301.html - my post about Code/Markup >> >> injection and its prevention. >> >> >> >> * http://en.wikipedia.org/wiki/Cross-site_scripting >> >> >> >> * http://en.wikipedia.org/wiki/Cross-site_request_forgery >> >> >> > >> > since we're on web security, my favorite general purpose reading is: >> > http://code.google.com/p/browsersec/wiki/Main >> > >> > also this (which iirc, some browsers don't or google say are dangerous >> > - there doesn't seem to be any script running on this page - cursory >> > look): >> > http://ha.ckers.org/xss.html >> > >> >> For general guidelines and tools, take a look at the OWASP Projects at > <http://www.owasp.org/>. >> > > Good point. I always assume that everyone has heard of the top 10 and the > like so forget to put it out there. > > But, I'll just say, if you think about what you're doing and know a little > about security you'll be in the upper 50%. If you run scans, you'll be in > the upper 25%. After that it gets hard. However the point is that its not > hard to rise above the lowest hanging fruit (which isn't saying much for the > state of ecommerse in general but is good for keeping inexperienced > programmers with a little knowledge out of the ruffage).
This is exactly why I never assume anyone has read the OWASP top ten. But even if they have, a reminder to review them once in a while isn't going to hurt. We go a few steps further. Some of our sites process credit cards and some of our applications need to be certified for PCI PA-DSS. So all development and QA teams had to attend training courses in security and get a refresher class at least once a year. Bob McConnell -- To unsubscribe, e-mail: beginners-unsubscr...@perl.org For additional commands, e-mail: beginners-h...@perl.org http://learn.perl.org/