CGI and FastCGI scripts share some unusual properties:
- often need to implement
platformtechnology (database, e-mailing, processing, etc.) within a single application
- constrained starting environment (file-system jail, privilege-dropped, etc.)
- high attacker access
- a reputation for rapid application growth and feature response
- large number of
moving targettechnologies: HTML5, JSON, CSS, etc.
- high cost of mistakes
The result? Highly complex applications in constrained environments with a large number of possible attackers. What could possibly go wrong?