Security considerations in programming - what do we teach?
Archive - Originally posted on "The Horse's Mouth" - 2010-03-22 14:52:07 - Graham EllisMany moons ago, I wrote and presented a security course - and ever since that time I have been acutely aware of the need to consider security in every aspect of system design, program writing and maintenance. And these days - with many of our programs "exposed" to people to run from remote places via the web, with plenty of time to break in and malicious scripting too, the lesson to think secure all the time is more important rather than less so.
On the PHP techniques workshop that I ran last week, we ran a really "low gloss" exercise - I describe it as the most boring practical of the course, but it's also the most important as the specification of the exercise is to set up a page / web site that's robust to stand up to whatever I choose to throw at it, and it behaves nicely in that standing up too.
Our courses - be they PHP courses or Perl courses or any of the half dozen other languages we teach consider security at each stage of the course - and necessarily so, as a system is only as strong as its weakest link. And there are so many aspects to consider - have a look at specialist pages such as [this one] which goes though a lot of things you might not have thought of.
What "keywords" are we talking here - well, I have just been asked to make security "centre stage" on a Perl course and I listed ... Unit testing, testing, source code control and backups. Injection Attacks. Race Conditions. Cardinal Values. File Locking. Denial of Service. Forking and Zombies. Input validation. Environment Variables. Execs and evals. Buffer Overflows and memory leaks. Design for security. Best practise - naturally robust systems. Security reviewing other code. And those are the general aspects. Add to that the Perl specifics ... Tainting. Real, effective ID and suidperl. Cleaning up your path. Backtics, evals, execs and subshells. Command line switches. Unicode. Public, protected, private - not in Perl; OO Perl security issues. Regular expressions. Magic in opens, globs, and other wild cards. Temporary files, lock files and file locking. Database transactions. Networking matters, process forking and threads. Sorts that give varying results. Resource hogs and efficiency matters.
Realistically "Hello world" type programming examples on our courses aren't concerned with security - but within an hour or two the subject always comes us. I started a Python Course this morning and we were looking at robustness of code and the prevention of user attacks as early as coffee break time.