aegilops

@ovid and other Perl  mongers. What, if anything, do you use for code security?

I know that using taint gets you far, but SAST is mostly what I’m thinking (especially for legacy code without taint). Any tips?

Does Perl::Critic do a decent job, and is there a list of what its security policy and 3rd party plug-ins cover?

Other OS SAST I found are: https://github.com/htrgouvea/zarn and this grep-based one: https://github.com/wireghoul/graudit

Are they OK?

#SAST #Perl #AppSec #CodeSecurity #PerlCritic

GitHub - htrgouvea/zarn: A lightweight static security analysis tool for modern Perl Apps

A lightweight static security analysis tool for modern Perl Apps - GitHub - htrgouvea/zarn: A lightweight static security analysis tool for modern Perl Apps

GitHub
Jul 7, 2023 at 9:35amWeb
Show threadBill RickerJul 7, 2023
@aegilops @ovid
bdf's CPANSA and CPAN::Audit monitor published CVEs for your modules in use. Note that one has to refresh the DB before running, it doesn't automagical refresh the DB (that's a feature).
Show threadBill RickerJul 7, 2023

@aegilops @ovid

perlcritic is not a security tool, but it has a `security` theme , and the somewhat larger set
`(security || certrec || certrule)` is pretty decent.

see also `Perl::Critic::Policy::Lax::ProhibitStringyEval::ExceptForRequire` to remove false-positives from `require` .

consider adding
`InputOutput::ProhibitBacktickOperators`
and rules to prohibit `system()` and `exec()` (and alias `builtin::system()` ?)

Show threadaegilopsJul 7, 2023

@BRicker really great detail, thanks.

Do you use a different security tool for Perl, if Perl::Critic isn’t one (or at least, not a specialised one).

For example, your note about prepared statements vs concatenating variables - is there tooling that supports auditing for that?

As far as I can tell, Critic doesn’t do data flow or taint, which is needed to do more than structural or local misuse security checks.

Show threadBill RickerJul 7, 2023

@aegilops Taint and `Perl::Critic::Policy::ValuesAndExpressions::PreventSQLInjection` are the only tools i'm aware of (besides code reviews) to monitor for SQL injection code with DBI etc. (Also, some frameworks provide sanitization options.)

(I consider the tooling to be an auditor check-list item and the programmer education re avoiding OWASP-Top10 and code review to be the real security.)

Show threadBill RickerJul 7, 2023

@aegilops @ovid
Takeaways from OWASP Top 10
https://owasp.org/www-project-top-ten/

Whatever framework you're using on top of DBI, be sure to be using prepared statements with ? or $2 placeholders and SQL EXEC, not concatenating variables as values into statements.

Use high-level use-case-specific cryptography libraries, don't roll your own (unless you're one of the few qualified crypto library developers).

OWASP Top Ten | OWASP Foundation

The OWASP Top 10 is the reference standard for the most critical web application security risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing your software development culture focused on producing secure code.