James, Tomas, Jacqui,
Thanks for the responses. I think all of you are more experienced in
these matters than I am. I am open to suggestions on the best way to
move forward.
Nicholas
--
Message: 1
Date: Sun, 28 Mar 2010 16:55:37 +0100
From: Nicholas Bambernicho...@periapt.co.uk
Subject: Perl and OWASP
To: london.pm@london.pm.org
Message-ID:4baf7bf9.7060...@periapt.co.uk
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
I have not managed to make it to any London Perl Monger events since
joining the mailing list a month or two back. I hope to remedy that when
people stop marrying at times that inconvenience my life. However I
reckon that should not stop posting this now.
I recently came across the OWASPhttp://www.owasp.org project:
The Open Web Application Security Project (OWASP) is a 501c3
not-for-profit worldwide charitable organization focused on
improving the security of application software. Our mission is to
make application security visible, so that people and organizations
can make informed decisions about true application security risks.
Everyone is free to participate in OWASP and all of our materials
are available under a free and open software license.
I am puzzled as to why there has hitherto been so little contact between
perl and OWASP. Is anybody out there interested in volunteering some of
their coding and code reviewing efforts into improving the security of
perl based web applications in a more systematic way? I have tried
kicking things off with this page: http://www.owasp.org/index.php/Perl .
I look forward to hearing from you guys.
Nicholas
--
Message: 2
Date: Sun, 28 Mar 2010 17:26:59 +
From: James Laverlondon...@jameslaver.com
Subject: Re: Perl and OWASP
To: london.pm@london.pm.org
Message-ID:20100328172659.gl4...@jameslaver.com
Content-Type: text/plain; charset=us-ascii
On Sun, Mar 28, 2010 at 04:55:37PM +0100, Nicholas Bamber wrote:
I am puzzled as to why there has hitherto been so little contact between
perl and OWASP. Is anybody out there interested in volunteering some of
their coding and code reviewing efforts into improving the security of
perl based web applications in a more systematic way? I have tried
kicking things off with this page: http://www.owasp.org/index.php/Perl .
I look forward to hearing from you guys.
I've got some things in the pipeline regarding it, though they're taking
a back seat at the minute.
Part of the problem is the complexity of things and the number of
libraries people use developing web apps. And catalyst is an extremely
complicated beast to top all of that off.
What is actually required is to systematically audit each library for
potential pitfalls and see what the system as a larger entity
potentially opens up in them. And all that could take some time.
--James
--
Message: 3
Date: Sun, 28 Mar 2010 19:34:58 +0100
From: Jacqui Caren-homejacqui.ca...@ntlworld.com
Subject: Re: Perl and OWASP
To: London.pm Perl M[ou]ngerslondon.pm@london.pm.org
Message-ID:4bafa152.4040...@ntlworld.com
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
James Laver wrote:
What is actually required is to systematically audit each library for
potential pitfalls and see what the system as a larger entity
potentially opens up in them. And all that could take some time.
Code reviews are seriously hard work but well worth it.
We used to run code review sessions when I worked at Cray (a LONG time ago)
and it changed how we developed and tested code. I remember the IBM team
reviewing 100 lines of assember and find over 100 issues that needed resolution
- they were actually happy and bought us cakes :-)
The nice bit was it was seen as a way to improve things and for people
to learn from others. Other parts of the company liked the idea they
copied it and it started being used in both software and hardware reviews.
The side effect that programmers taught each other about pitfalls (and
shortcuts)
was an unforseen advantage.
We were lucky in that we a team of some of the best professional testers
working with our dev team. They drove the code review and ensured it worked.
I no longer have the documentation but the rules were pretty simple.
small team - each member looks for specific issues. Constructive
cirticism. Limited code to review. Limited time and very very short
review meetings. No redesigns etc.
I just wish I had the free time to do this again.
--
Message: 4
Date: Sun, 28 Mar 2010 22:37:30 +0100
From: Tomas Doranbobtf...@bobtfish.net
Subject: Re: Perl and OWASP
To: London.pm Perl M\[ou\]ngerslondon.pm@london.pm.org
Message-ID:49ff8344-98a2-423b-9d38-b05eb0072...@bobtfish.net
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
On 28 Mar 2010, at 16:55, Nicholas Bamber wrote:
I am