Who should attend: Programmers and managers involved in the development of CGI programs and other applications designed to deliver dynamic or interactive content on the Web, and system administrators of Web servers. Participants should have some experience in developing these applications.

Interactive content on the Web is the world's biggest computer security hole. Before the invention of the WWW, sane system administrators would never have considered setting up a network service that allowed an anonymous user to execute a complex program on their systems. Nevertheless, that is exactly what the Web does. Programs of formidable complexity and power are executed thousands of times every day on your systems, by unknown users in unknown locations with no supervision. If these programs are not written with great care, they can be subverted and used to steal your information or vandalize your machine.

The tutorial will include a number of case studies of programs that appear safe but aren't, and will show why "eyeball"' methods of program verification are ineffective. We will spend some time discussing common problems and oversights and will show how they can be avoided. The examples will be in the Perl programming language, but the problems are not language-specific and most of the solutions apply to programs written in any language. The tutorial will, however, spend some time discussing the unique "tainting" feature of Perl, which can detect many of these problems automatically.

We will examine the common programming error of trusting the browser, including improper use of cookies and client-side data validation. Additionally, we will take a close look at the strengths and weaknesses of authentication systems commonly used on the Web. Along the way, the tutorial will present important basic principles of security, with an emphasis on developing a sound security policy that is effective for your situation.

Mark-Jason Dominus has been involved in computer security since 1988 and has been developing interactive Web applications since 1994. He was a system administrator and the first Webmaster at the University of Pennsylvania's Department of Computer and Information Sciences. He then became a founding staff member of Pathfinder, Time-Warner's Internet Web service, where he was the leader of the system administration and network security group. He is now an independent consultant working in the area of dynamic application development and systems and security analysis. He writes a regular column for The Perl Journal.