@ovid and other Perl 
mongers. What, if anything, do you use for code security?
I know that using taint gets you far, but SAST is mostly what I’m thinking (especially for legacy code without taint). Any tips?
Does Perl::Critic do a decent job, and is there a list of what its security policy and 3rd party plug-ins cover?
Other OS SAST I found are: https://github.com/htrgouvea/zarn and this grep-based one: https://github.com/wireghoul/graudit
Are they OK?
perlcritic is not a security tool, but it has a `security` theme , and the somewhat larger set
`(security || certrec || certrule)` is pretty decent.
see also `Perl::Critic::Policy::Lax::ProhibitStringyEval::ExceptForRequire` to remove false-positives from `require` .
consider adding
`InputOutput::ProhibitBacktickOperators`
and rules to prohibit `system()` and `exec()` (and alias `builtin::system()` ?)
@BRicker really great detail, thanks.
Do you use a different security tool for Perl, if Perl::Critic isn’t one (or at least, not a specialised one).
For example, your note about prepared statements vs concatenating variables - is there tooling that supports auditing for that?
As far as I can tell, Critic doesn’t do data flow or taint, which is needed to do more than structural or local misuse security checks.
@aegilops Taint and `Perl::Critic::Policy::ValuesAndExpressions::PreventSQLInjection` are the only tools i'm aware of (besides code reviews) to monitor for SQL injection code with DBI etc. (Also, some frameworks provide sanitization options.)
(I consider the tooling to be an auditor check-list item and the programmer education re avoiding OWASP-Top10 and code review to be the real security.)
aegilops
Bill Ricker