[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] Secure Web Application Framework Manifesto

From: "Boberski, Michael [USA]" <boberski_michael@xxxxxxx>
Subject: RE: [WEB SECURITY] Secure Web Application Framework Manifesto
Date: Tue, 12 Jan 2010 13:05:10 -0500

Hi Rohit. For discussion purposes, more generally, I have (1)personally, and (2)anecdotally found "manifestos" do more harm than good. 

The short version: They don't promote awareness (as top x lists do), they shut down thought (manifestos==constitutions of sorts, where requirements become law based on a given constitution and if it can't be traced back to the constitution (manifesto) it can never become a law (requirement)), and they are not complete enough to be grouped into sets of requirements which can be targeted to achieve a given level of assurance (a la OWASP ASVS).

Case study: Agile.

Agile is the bain of my existence as a security person. I will go on record! I have found a way "in" by working between sprints to arm development teams with security function toolkits (OWASP ESAPI), gating sprints with security-focused code reviews, and between and outside of sprints working on higher-level items such as architecture and requirements. Doing the former is hard, doing the latter is harder, and the difficulty is (again based on my personal experience, i.e. anecdotally, am not purporting to be reporting based on a large study, but I think my personal experience has merit enough to discuss and not dismiss just because it is not an industry study) due to overly-strict interpretations to the Agile manifesto and of "being agile". Maintaining and building to a targeted level of assurance cannot be traced back to the Agile manifesto and as such can't provide a basis for including security-related activities. Non-user driven, persistent requirements (e.g. security requirements such as validate all inputs using a whitelist always) are always at risk of being jettisoned from the product backlog. Many other problems/variations on the examples, but perhaps that's enough for discussion.

As a postscript (sorry for the long email) (this comment, this paragraph *is* specific to the document), perhaps consider using OWASP ASVS when it comes to frameworks, by for example determining if a given ASVS requirement is met by either the application or underlying frameworks. It's still a "pass" from ASVS' perspective, towards the end of being x level secure. Perhaps in the not too distant future the results of verifying popular frameworks will start to be published, making such determinations available for everyday use when reviewing apps.

Best,
 
Mike B.

-----Original Message-----
From: Rohit Sethi [mailto:rklists@xxxxxxxxx] 
Sent: Tuesday, January 12, 2010 9:25 AM
To: websecurity@xxxxxxxxxxxxx
Subject: [WEB SECURITY] Secure Web Application Framework Manifesto

Hi all,

Many of us have argued that the features of underlying web applications frameworks will make a major impact on the security of the individual applications built on top of them.

To that end, a few of my colleagues and myself have put together a "Secure Web Application Framework Manifesto". In many ways, this is the inverse of the work that Arshan and the Intrinsic Security Working Group did-  our emphasis is on providing a set of requirements for frameworks to follow, rather than evaluating the frameworks themselves. Ideally, frameworks will adhere to the manifesto and publish a list of the features implemented. This helps developers make intelligent decisions about the underlying security of the frameworks they use, and should have the additional benefit of enhancing the default security of web applications.

I'd like to propose turning this into an OWASP project, but wanted to solicit feedback from the security community prior to turning it into an official project.

Here's the link to the paper:
http://labs.securitycompass.com/papers/secure-web-application-framework-manifesto-v0-05.pdf

--
Rohit Sethi
Security Compass
http://www.securitycompass.com
twitter: rksethi

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

References:
- [WEB SECURITY] Secure Web Application Framework Manifesto
  - From: Rohit Sethi

Prev by Date: [WEB SECURITY] Call for Papers: i-Society 2010!
Next by Date: Re: [WEB SECURITY] Secure Web Application Framework Manifesto
Previous by thread: [WEB SECURITY] Secure Web Application Framework Manifesto
Next by thread: Re: [WEB SECURITY] Secure Web Application Framework Manifesto
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site