[CALUG] Securing a web server app

Jim Sansing jjsansing at verizon.net
Fri Nov 11 18:37:43 EST 2011 

Forgive me if I tell you stuff you already know, but here is my high
level take on the issue.

I am assuming that the only port your server listens on is 80 (or 443). 
So the DB should be secure from remote access.  This means that besides
the basic web server security, there are 2 main points of attack: User
IDs and the perl program.  I am assuming you are already handling basic
web security, so here is my take on the others.

1) User IDs:  If you allow unmoderated users to post on your site,
spammers will create user IDs automatically and flood your site with
junk comments (hoping search engines will pick them up).  I have found
CAPTCHA works reasonably well against this.  My site is built on Drupal
and I define the CAPTCHA module to generate 7 characters.  I have had
automated programs create  only 4 user IDs in almost a year of using
this (and I manually deleted them and the forum comments without too
much effort).  I'm guessing that CPAN probably has a CAPTCHA library.

2) The perl program:  I am assuming that the only other thing you need
to worry about here is DB access.  Since the perl code can be viewed,
you cannot (or at least should not) hard code login info.  In my
experience, this means that you have 2 choices:

  a) Provide users with a DB user ID and they have to login to use the
program.  If you have a lot of users, this is a huge admin task.
  b) Have a DB user running in the background taking requests from
users.  This might require you to login to that ID every time you
restart the web server depending on how you handle it.

If your program only provides menu choices, then you probably don't have
to worry about SQL injection.  Otherwise, you need to validate all input
before sending it to the DB.  Again, CPAN might have a library for this,
but if you are not familiar with SQL validation, check out
http://www.owasp.org/ for good web application security info.

I hope this is helpful.

Later . . .   Jim


Bonnie Dalzell wrote:
> On Fri, 11 Nov 2011, Jim Sansing wrote:
>
>> Hi Bonnie,
>>
>> This list welcomes technical questions, so if you're looking for some
>> brainstorming help on DB issues, fire away.  Tell us what the language
>> and the DB are and if we can't answer your question, we might be able to
>> point you to some sample code.
>>
>> Later . . .   Jim
>
> It is about security and perl and internet access
>
> I have this pedigree project have been working on for years and the
> main program I have written is in perl. I now have a version of the
> program that will pull a pedigree from a mysql database through a web
> interface. However the place I rent space on has a big fine if your
> cgi program allows someone to hack the site so I am afraid to go live
> with the web version of the db. I test run it at home.
>
> This is just for retreiving the pedigrees I also need a secure way
> that trusted users can enter new information.
>
>
>>
>>
>> Bonnie Dalzell wrote:
>>> ...
>>>
>>> What sort of programming does your company do. I am at a point in
>>> an open source project where I am stuck on the internet database
>>> interface.
>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>                         Bonnie Dalzell, MA
>>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>                        Bonnie Dalzell, MA
> mail:5100 Hydes Rd PO Box 60, Hydes,MD,USA
> 21082-0060|EMAIL:bdalzell at qis.net
> Freelance anatomist, vertebrate paleontologist, writer, illustrator, dog
> breeder, computer nerd & iconoclast... Borzoi info at www.borzois.com.
> HOME www.batw.net    ART bdalzellart.batw.net  BUSINESS
> www.boardingatwedge.com
>
>

More information about the CALUG mailing list