WebApp Sec mailing list archives
Welcome to a new year at WebAppSec
From: Andrew van der Stock <vanderaj () owasp org>
Date: Sun, 6 Jan 2008 21:45:40 -0500
Hi there,This year is an opportunity to fundamentally improve things in the web app sec world.
Some of the things I really think we should do this year is reach out to the frameworks, to make common webappsec deficiencies go away. Permanently.
1. XSS. We really need to touch base with them so that apps developed using common frameworks are un-XSSable. However, this is not the entire story - XSS is a family of attacks deriving from encoding issues. We need to engage with the framework developers and help them come up with a simple way for apps to only access canoncalized input (regardless of source) using white listing (positive validation).
2. Injections. We not only need frameworks to remove access to concatenating SQL query interfaces, we need for LDAP, XML and other common interfaces to be uninjectable as well. We know that parameterized statements eliminate SQL injection, we need similar interfaces for other common text based protocols
3. Eliminating or disabling unsafe API, like PHP's allow_url_fopen and wrappers by default. There are a tiny fraction of applications which need this type of functionality, and they should ask for it - with the WARNING WARNING WARNING klaxons blaring
4. Make common webappsec blunders harder to justify by providing a common framework to enable safer options, such as safe indirect object references, and so on. OWASP has developed the ESAPI, an enterprise security API. It satisfies a number of common "I told you so" issues, such as membership, indirect object references, and so on. I am sure we will see other ports other than Java.
5. Connecting to the developer community. We're converted. We know what works - but most of us on this list do not develop the apps, only review them. Developers always seem to be surprised when we 0wn their apps. Let's start talking to them - a lot.
What are your favorite developer conferences? What are your thoughts on what could be improved? thanks, Andrew van der Stock Lead Author, OWASP Guide -------------------------------------------------------------------------Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- Welcome to a new year at WebAppSec Andrew van der Stock (Jan 06)