Security Concerns for www.washington.edu

Every attempt is made to make the www.washington.edu cluster as secure as possible. However, much of the responsibility for security also rests on the developers, especially those who write CGI scripts.

Use Provided Scripts

Each time a script is created, security needs to be taken into account. By using centrally-managed scripts when possible, you are using programs which have been in use for quite some time and have been closely reviewed for security holes. When new holes are found, they are quickly fixed.

If you require a script which sends mail, you should look at the mailto script. If you wish to search a group of files, then you should look into one of the third party search services.

Writing Scripts

There are many cases where centrally-provided scripts do not have the functionality required for an application. In these cases, writing your own script is what is necessary.

A good place to start with regards to script security is with the Windows on Computing article about Security and CGI programs.

If your script is being written in Perl, you should consider using the CGI.pm module, as well as use strict; to help point out places in your script which can be exploited. In addition, it's highly recommended to use the -T flag in the first line of the script to turn on taint checking. More information about writing secure Perl programs is available in the Perl security manual.

Accessing Other Hosts

If it is necessary for your script to contact other hosts, you need to contact www-mgmt@washington.edu to obtain the necessary procedures for proceeding. It can not be stressed enough how dangerous it is to use rsh without the proper security precautions: without these precautions, if you set up your script to use the rsh command to another host, you are opening up the remote host to possible attack by every script on www.washington.edu.

Encryption

SSL is provided on www.washington.edu, and is quite easy to use. If your application requires any sort of authentication, you should strongly consider using SSL.