Perl and OWASP

Nicholas Bamber nicholas at periapt.co.uk
Mon Mar 29 14:10:22 BST 2010


James, Tomas, Jacqui,

Thanks for the responses. I think all of you are more experienced in 
these matters than I am. I am open to suggestions on the best way to 
move forward.

Nicholas

----------------------------------------------------------------------
> Message: 1
> Date: Sun, 28 Mar 2010 16:55:37 +0100
> From: Nicholas Bamber<nicholas at periapt.co.uk>
> Subject: Perl and OWASP
> To: london.pm at london.pm.org
> Message-ID:<4BAF7BF9.7060503 at periapt.co.uk>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> I have not managed to make it to any London Perl Monger events since
> joining the mailing list a month or two back. I hope to remedy that when
> people stop marrying at times that inconvenience my life. However I
> reckon that should not stop posting this now.
>
> I recently came across the OWASP<http://www.owasp.org>  project:
>
>      The Open Web Application Security Project (OWASP) is a 501c3
>      not-for-profit worldwide charitable organization focused on
>      improving the security of application software. Our mission is to
>      make application security visible, so that people and organizations
>      can make informed decisions about true application security risks.
>      Everyone is free to participate in OWASP and all of our materials
>      are available under a free and open software license.
>
> I am puzzled as to why there has hitherto been so little contact between
> perl and OWASP. Is anybody out there interested in volunteering some of
> their coding and code reviewing efforts into improving the security of
> perl based web applications in a more systematic way? I have tried
> kicking things off with this page: http://www.owasp.org/index.php/Perl .
> I look forward to hearing from you guys.
>
> Nicholas
>
>
>
> ------------------------------
>
> Message: 2
> Date: Sun, 28 Mar 2010 17:26:59 +0000
> From: James Laver<london.pm at jameslaver.com>
> Subject: Re: Perl and OWASP
> To: london.pm at london.pm.org
> Message-ID:<20100328172659.GL4039 at jameslaver.com>
> Content-Type: text/plain; charset=us-ascii
>
> On Sun, Mar 28, 2010 at 04:55:37PM +0100, Nicholas Bamber wrote:
>    
>> I am puzzled as to why there has hitherto been so little contact between
>> perl and OWASP. Is anybody out there interested in volunteering some of
>> their coding and code reviewing efforts into improving the security of
>> perl based web applications in a more systematic way? I have tried
>> kicking things off with this page: http://www.owasp.org/index.php/Perl .
>> I look forward to hearing from you guys.
>>      
> I've got some things in the pipeline regarding it, though they're taking
> a back seat at the minute.
>
> Part of the problem is the complexity of things and the number of
> libraries people use developing web apps. And catalyst is an extremely
> complicated beast to top all of that off.
>
> What is actually required is to systematically audit each library for
> potential pitfalls and see what the system as a larger entity
> potentially opens up in them. And all that could take some time.
>
> --James
>
>
> ------------------------------
>
> Message: 3
> Date: Sun, 28 Mar 2010 19:34:58 +0100
> From: Jacqui Caren-home<jacqui.caren at ntlworld.com>
> Subject: Re: Perl and OWASP
> To: "London.pm Perl M[ou]ngers"<london.pm at london.pm.org>
> Message-ID:<4BAFA152.4040409 at ntlworld.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> James Laver wrote:
>    
>> What is actually required is to systematically audit each library for
>> potential pitfalls and see what the system as a larger entity
>> potentially opens up in them. And all that could take some time.
>>      
> Code reviews are seriously hard work but well worth it.
>
> We used to run code review sessions when I worked at Cray (a LONG time ago)
> and it changed how we developed and tested code. I remember the IBM team
> reviewing 100 lines of assember and find over 100 issues that needed resolution
> - they were actually happy and bought us cakes :-)
>
> The nice bit was it was seen as a way to improve things and for people
> to learn from others. Other parts of the company liked the idea they
> copied it and it started being used in both software and hardware reviews.
>
> The side effect that programmers taught each other about pitfalls (and shortcuts)
> was an unforseen advantage.
>
> We were lucky in that we a team of some of the best professional testers
> working with our dev team. They drove the code review and ensured it worked.
>
> I no longer have the documentation but the rules were pretty simple.
> small team - each member looks for specific issues. Constructive
> cirticism. Limited code to review. Limited time and very very short
> review meetings. No redesigns etc.
>
> I just wish I had the free time to do this again.
>
>
> ------------------------------
>
> Message: 4
> Date: Sun, 28 Mar 2010 22:37:30 +0100
> From: Tomas Doran<bobtfish at bobtfish.net>
> Subject: Re: Perl and OWASP
> To: "London.pm Perl M\[ou\]ngers"<london.pm at london.pm.org>
> Message-ID:<49FF8344-98A2-423B-9D38-B05EB00728AC at bobtfish.net>
> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
>
>
> On 28 Mar 2010, at 16:55, Nicholas Bamber wrote:
>    
>> I am puzzled as to why there has hitherto been so little contact
>> between perl and OWASP.
>>      
> I was at the first OWASP conference in London.
>
> I used to attend their meets regularly, however in recent times
> they've been arranged in either the far west or the far east of
> London, and to start at 6pm. Given I finish work at 6pm, it's just not
> been practical for me to be able to get there.
>
>    
>> Is anybody out there interested in volunteering some of their coding
>> and code reviewing efforts into improving the security of perl based
>> web applications in a more systematic way?
>>      
> Yes. But then, I put quite a lot of my free time and code reviewing
> efforts into improving perl based web applications in a systematic way
> anyway. :_)
>
>    
>> I have tried kicking things off with this page: http://www.owasp.org/index.php/Perl
>>   . I look forward to hearing from you guys.
>>      
> I'd certainly be prepared to volunteer some of my time contributing
> to, or reviewing code for perl based web security efforts, and I'm
> certainly happy to do everything in my power (which isn't very much -
> pretty much yelling 'well volunteered' at people) to get the Catalyst
> community.
>
> Cheers
> t0m
>
>    

-- 
*Nicholas Peter Bamber*
	


	*Email:* nicholas at periapt.co.uk <mailto:nicholas at periapt.co.uk>
*Professional Profile 
<http://www.linkedin.com/pub/nicholas-peter-bamber/13/998/aa2>
*
* * 	
	*Periapt Technologies Ltd* <http://www.periapt.co.uk>


	Want a signature like this? <http://www.linkedin.com/e/sig/47231258/>



More information about the london.pm mailing list