Re: Perl and OWASP

[Nicholas Bamber]

James, Tomas, Jacqui,

Thanks for the responses. I think all of you are more experienced in 
these matters than I am. I am open to suggestions on the best way to 
move forward.


Nicholas

--

Message: 1
Date: Sun, 28 Mar 2010 16:55:37 +0100
From: Nicholas Bambernicho...@periapt.co.uk
Subject: Perl and OWASP
To: london.pm@london.pm.org
Message-ID:4baf7bf9.7060...@periapt.co.uk
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

I have not managed to make it to any London Perl Monger events since
joining the mailing list a month or two back. I hope to remedy that when
people stop marrying at times that inconvenience my life. However I
reckon that should not stop posting this now.

I recently came across the OWASPhttp://www.owasp.org  project:

 The Open Web Application Security Project (OWASP) is a 501c3
 not-for-profit worldwide charitable organization focused on
 improving the security of application software. Our mission is to
 make application security visible, so that people and organizations
 can make informed decisions about true application security risks.
 Everyone is free to participate in OWASP and all of our materials
 are available under a free and open software license.

I am puzzled as to why there has hitherto been so little contact between
perl and OWASP. Is anybody out there interested in volunteering some of
their coding and code reviewing efforts into improving the security of
perl based web applications in a more systematic way? I have tried
kicking things off with this page: http://www.owasp.org/index.php/Perl .
I look forward to hearing from you guys.

Nicholas



--

Message: 2
Date: Sun, 28 Mar 2010 17:26:59 +
From: James Laverlondon...@jameslaver.com
Subject: Re: Perl and OWASP
To: london.pm@london.pm.org
Message-ID:20100328172659.gl4...@jameslaver.com
Content-Type: text/plain; charset=us-ascii

On Sun, Mar 28, 2010 at 04:55:37PM +0100, Nicholas Bamber wrote:
   

I am puzzled as to why there has hitherto been so little contact between
perl and OWASP. Is anybody out there interested in volunteering some of
their coding and code reviewing efforts into improving the security of
perl based web applications in a more systematic way? I have tried
kicking things off with this page: http://www.owasp.org/index.php/Perl .
I look forward to hearing from you guys.
 

I've got some things in the pipeline regarding it, though they're taking
a back seat at the minute.

Part of the problem is the complexity of things and the number of
libraries people use developing web apps. And catalyst is an extremely
complicated beast to top all of that off.

What is actually required is to systematically audit each library for
potential pitfalls and see what the system as a larger entity
potentially opens up in them. And all that could take some time.

--James


--

Message: 3
Date: Sun, 28 Mar 2010 19:34:58 +0100
From: Jacqui Caren-homejacqui.ca...@ntlworld.com
Subject: Re: Perl and OWASP
To: London.pm Perl M[ou]ngerslondon.pm@london.pm.org
Message-ID:4bafa152.4040...@ntlworld.com
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

James Laver wrote:
   

What is actually required is to systematically audit each library for
potential pitfalls and see what the system as a larger entity
potentially opens up in them. And all that could take some time.
 

Code reviews are seriously hard work but well worth it.

We used to run code review sessions when I worked at Cray (a LONG time ago)
and it changed how we developed and tested code. I remember the IBM team
reviewing 100 lines of assember and find over 100 issues that needed resolution
- they were actually happy and bought us cakes :-)

The nice bit was it was seen as a way to improve things and for people
to learn from others. Other parts of the company liked the idea they
copied it and it started being used in both software and hardware reviews.

The side effect that programmers taught each other about pitfalls (and 
shortcuts)
was an unforseen advantage.

We were lucky in that we a team of some of the best professional testers
working with our dev team. They drove the code review and ensured it worked.

I no longer have the documentation but the rules were pretty simple.
small team - each member looks for specific issues. Constructive
cirticism. Limited code to review. Limited time and very very short
review meetings. No redesigns etc.

I just wish I had the free time to do this again.


--

Message: 4
Date: Sun, 28 Mar 2010 22:37:30 +0100
From: Tomas Doranbobtf...@bobtfish.net
Subject: Re: Perl and OWASP
To: London.pm Perl M\[ou\]ngerslondon.pm@london.pm.org
Message-ID:49ff8344-98a2-423b-9d38-b05eb0072...@bobtfish.net
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes


On 28 Mar 2010, at 16:55, Nicholas Bamber wrote:
   

I am

Perl and OWASP

[Nicholas Bamber]

I have not managed to make it to any London Perl Monger events since 
joining the mailing list a month or two back. I hope to remedy that when 
people stop marrying at times that inconvenience my life. However I 
reckon that should not stop posting this now.


I recently came across the OWASP http://www.owasp.org project:

   The Open Web Application Security Project (OWASP) is a 501c3
   not-for-profit worldwide charitable organization focused on
   improving the security of application software. Our mission is to
   make application security visible, so that people and organizations
   can make informed decisions about true application security risks.
   Everyone is free to participate in OWASP and all of our materials
   are available under a free and open software license.

I am puzzled as to why there has hitherto been so little contact between 
perl and OWASP. Is anybody out there interested in volunteering some of 
their coding and code reviewing efforts into improving the security of 
perl based web applications in a more systematic way? I have tried 
kicking things off with this page: http://www.owasp.org/index.php/Perl . 
I look forward to hearing from you guys.


Nicholas

Re: Perl and OWASP

[James Laver]

On Sun, Mar 28, 2010 at 04:55:37PM +0100, Nicholas Bamber wrote:

 I am puzzled as to why there has hitherto been so little contact between  
 perl and OWASP. Is anybody out there interested in volunteering some of  
 their coding and code reviewing efforts into improving the security of  
 perl based web applications in a more systematic way? I have tried  
 kicking things off with this page: http://www.owasp.org/index.php/Perl .  
 I look forward to hearing from you guys.

I've got some things in the pipeline regarding it, though they're taking 
a back seat at the minute.

Part of the problem is the complexity of things and the number of 
libraries people use developing web apps. And catalyst is an extremely 
complicated beast to top all of that off.

What is actually required is to systematically audit each library for 
potential pitfalls and see what the system as a larger entity 
potentially opens up in them. And all that could take some time.

--James

Re: Perl and OWASP

[Jacqui Caren-home]

James Laver wrote:
What is actually required is to systematically audit each library for 
potential pitfalls and see what the system as a larger entity 
potentially opens up in them. And all that could take some time.


Code reviews are seriously hard work but well worth it.

We used to run code review sessions when I worked at Cray (a LONG time ago)
and it changed how we developed and tested code. I remember the IBM team
reviewing 100 lines of assember and find over 100 issues that needed resolution
- they were actually happy and bought us cakes :-)

The nice bit was it was seen as a way to improve things and for people
to learn from others. Other parts of the company liked the idea they
copied it and it started being used in both software and hardware reviews.

The side effect that programmers taught each other about pitfalls (and 
shortcuts)
was an unforseen advantage.

We were lucky in that we a team of some of the best professional testers
working with our dev team. They drove the code review and ensured it worked.

I no longer have the documentation but the rules were pretty simple.
small team - each member looks for specific issues. Constructive
cirticism. Limited code to review. Limited time and very very short
review meetings. No redesigns etc.

I just wish I had the free time to do this again.

Re: Perl and OWASP

[Tomas Doran]

On 28 Mar 2010, at 16:55, Nicholas Bamber wrote:
I am puzzled as to why there has hitherto been so little contact  
between perl and OWASP.


I was at the first OWASP conference in London.

I used to attend their meets regularly, however in recent times  
they've been arranged in either the far west or the far east of  
London, and to start at 6pm. Given I finish work at 6pm, it's just not  
been practical for me to be able to get there.


Is anybody out there interested in volunteering some of their coding  
and code reviewing efforts into improving the security of perl based  
web applications in a more systematic way?


Yes. But then, I put quite a lot of my free time and code reviewing  
efforts into improving perl based web applications in a systematic way  
anyway. :_)


I have tried kicking things off with this page: http://www.owasp.org/index.php/Perl 
 . I look forward to hearing from you guys.


I'd certainly be prepared to volunteer some of my time contributing  
to, or reviewing code for perl based web security efforts, and I'm  
certainly happy to do everything in my power (which isn't very much -  
pretty much yelling 'well volunteered' at people) to get the Catalyst  
community.


Cheers
t0m