Login | Register
My pages Projects Community openCollabNet

Discussions > dev > Fwd: CERT and Perl::Critic

perlcritic
Discussion topic

Back to topic list

Fwd: CERT and Perl::Critic

Reply

Author thaljef
Full name Jeffrey Ryan Thalhammer
Date 2012-06-19 14:57:34 PDT
Message FYI: A conversation I had with David Svoboda at CERT...


Begin forwarded message:

> From: David Svoboda <svoboda at cert dot org>
> Date: June 12, 2012 6:34:57 AM PDT
> To: Jeffrey Thalhammer <jeff@imaginative​-software.com>
> Cc: David Svoboda <svoboda at cert dot org>, Robert Seacord <rcs at cert dot org>
> Subject: Re: CERT and Perl::Critic
>
>
> On 06/12/2012 02:16 AM, Jeffrey Thalhammer wrote:
>> Hi David-
>>
>> I just stumbled onto the CERT home page, and noticed that you're
>> developing a secure coding standard for Perl. I am one of the authors
>> of Perl::Critic, which is mentioned in many of the guidelines.
>
> Hello, Jeff.
>
> Ah, good, our Perl secure coding standard has finally made CERT's front
> page. We just made it public last week, and our promotion efforts are
> still ongoing.
>
> Actually, you are rather fortunate. Perl::Critic was one of our first
> sources when figuring out what rules to add, and so the standard is
> currently complete wrt Perl::Critic. That is, we have all the security
> rules that Perl::Critic provides checkers for. (granted both
> Perl::Critic & the CERT standards will grow and change in the future).
> We are still adding rules from other sources, such as Conway's PBP book,
> and CERT vulnerability notes. We started with Perl::Critic because it
> was the most useful. We had to do several security audits of Perl code,
> and Perl::Critic made that easy.
>
>> Perl::Critic groups each of its rules into one or more themes. At
>> present, only two rules fall under the "security" theme. But
>> apparently, CERT feels many of the other rules are security-related as well.
>
> For our code audits, we ran Perl::Critic with all checkers enabled, and
> filter out the irrelevant rules later. (We adopted this strategy when
> auditing C code and dealing with the output of several other static
> analysis tools. It was easier than to do our own filtering rather than
> rely on the filtering interfaces and capabilities of 4 different tools.)
>
> A good baseline measure of a security-related issue is a 'subversive'
> program; one that compiles (or parses) cleanly and is thought to do one
> thing, but really does another. Perl is full of such possible programs,
> owing to its loose syntax. A program that does something different than
> what its programmers expect is often a vulnerability waiting to be
> exploited.
>
>> So it occurred to me that we could create a new theme based on CERT's
>> guidelines. So users could get a CERT security audit with single command:
>>
>> perlcritic --theme=cert YourCode.pm
>>
>> What do you think?
>>
>> -Jeff
>
> That would be excellent! I can even provide you with a mapping from
> Perl::Critic checkers to CERT rules. We use this map when doing software
> audits. Several other tools, such as LDRA, will check compliance with
> CERT standards...but that's in the C world :)
>
> I see that you created an account on the CERT wiki. I'll welcome you to
> make comments on the rules and point out mistakes. (One quick thing you
> can do is go to the Bibliography page and make sure the entry for
> Perl::Critic is correct.) We can also grant privileges to edit the wiki
> directly to our best commenters.
>
> --
> David Svoboda <svoboda at cert dot org>
> Software Security Engineer
> CERT Secure Coding Initiative
> (412) 268-3965
Attachments

« Previous message in topic | 1 of 1 | Next message in topic »

Messages

Show all messages in topic

Fwd: CERT and Perl::Critic thaljef Jeffrey Ryan Thalhammer 2012-06-19 14:57:34 PDT
Messages per page: