Perl Security Vulnerabilities and Language Overview What is Perl? First appearing in 1987, Perl is a general-purpose Unix scripting language and consists of a family of high-level, general-purpose, interpreted, dynamic programming languages. Influenced by several programming languages including C, shell script (sh), Lisp and others, Perl provides powerful text processing facilities without being held back by the arbitrary data lengths of other Unix command line tools. The Perl “language family” includes both Perl 5 and Perl 6, although Perl 6 is a separate, sister, language with its own development team, rather than a successor language. Unlike other popular programming languages, such as Python, Perl does not have a major corporate sponsor such as Microsoft or Google. Read more about Perl security vulnerabilities and a general language overview below. Perl founder and “Benevolent dictator” Larry Wall While the name “Perl” is not an acronym, there have been many popular meanings associated with P-E-R-L over the years including “Practical Extraction and Reporting Language.” Interesting Facts about Perl The camel has been the symbol of Perl ever since it appeared on the cover of Programming Perl in 1990 and is now a trademarked symbol owned by the magazine publishers O’Reilly Media. Perl conferences are held worldwide and there is usually at least one taking place every month with the largest being held in Tokyo, Japan. While Perl is celebrated as being a “natural language” and offers a wealth of knowledge to those who want to learn it, the author of Beginning Perl, Curis Poe, notes that the presence of so many powerful modules available on the Comprehensive Perl Archive Network (CPAN) can often be a deterrent to newcomers trying to learn Perl as the sheer amount can be intimidating. Perl trainer Eduard Babayan notes just how similar some aspects of Perl can be to the English language as seen in the screenshot below. Example of how “natural” a programming language Perl is. Why Was Perl Initially Created? As one of the first popular dynamic programming languages (along with Ruby, Python and PHP), Perl was first developed by Larry Wall in 1987 and, like other algorithmic programming languages at the time, has a portion of its development financed by the military. In creating Perl, Larry Wall set out to fill the gap between “manipulexity” (the ability of languages like C to get into the innards of things) and “whipuptitude” (the property of programming languages like AWK or ‘sh that allows programmers to quickly write useful programs) and in doing so, Perl was able to fill a void and attract programmers in droves. It’s interesting to note that Larry Wall and his wife were studying linguistics in graduate school in California, they set out to try and find an unwritten language and devise a writing system for it. It was Larry’s passion for linguistics that contributed to Perl being a natural language and using linguistic terms (such as noun, verb, etc) rather than typical programming terms such as “variable” and “function.” Which Major Websites are built using Perl? Ever since the early 1990s, Perl has been a popular language of choice for UNIX system administrators and this popularity gained even more traction as the world wide web began taking off. Among the reasons why Perl is an important language include: fundamental differences in the tasks best performed by scripting languages like Perl versus traditional system programming languages like Perl, C++ or C. Perl’s ability to “glue together” other programs, or transform the output of one program so it can be used as input to another. Perl’s unparalleled ability to process text, using powerful features like regular expressions. This is especially important because of the re-emergence via the web of text files (HTML) as a lingua-franca across all applications and systems. The ability of a distributed development community to keep up with rapidly changing demands, in an organic, evolutionary manner. For these reasons, and more, some of the most popular websites on the internet include Perl amongst their IT stacks. The largest website built using Perl to render its content is Amazon.com which used to use Perl to a greater extent before shifting to other frameworks. As one savvy quora user points out, Amazon still is looking for engineers who are fluent in template languages which include Mason (a web application framework written in Perl) as well as Perl which seems like a strong indicator that the language is still being used, and will continued to be used in their IT stack. Other major websites that use Perl include: IMDB.com BBC.com Booking.com High-Risk Perl Security Vulnerabilities: As a popular open source programming language, there are serious consequences when vulnerabilities in Perl code make it to production and are exploited by malicious parties. The following is a list of some of the high risk threats facing applications written in Perl: Command_Injection Connection_String_Injection LDAP_Injection Reflected_XSS_All_Clients Resource_Injection Second_Order_SQL_Injection SQL_Injection Stored_XSS A full list of up to date Perl vulnerabilities and exploits can be found here. Securing your Perl Code Checkmarx’s CxSAST, a static code analysis solution, rises above other Perl testing solutions as not only the solution which will keep your Perl code free from security, legal and compliance issues, but also as the solution which will propel to your organization’s advancement when it comes to application security education amongst the developers. CxSAST works with the IDEs and other tools that your developer teams are already using as it integrates with most of the common development programs available at every developer touchpoint of the SDLC. CxSAST’s features such as incremental code scanning and the best fix location made it ideal for any continuous integration continuous development (CICD) environment. When vulnerabilities are detected in the Perl code, Checkmarx’s CxSAST will not only locate the best fix location, but will also offer resources to the developer to understand how the attack vector work as well as remediation advice which will help them ensure similar mistakes are avoided in the future.