[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Secure Web Application Framework Manifesto

From: Paul Johnston <paul.johnston@xxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Secure Web Application Framework Manifesto
Date: Wed, 13 Jan 2010 13:13:47 +0000

Hi,

I do like your idea, and I think this would be good as an OWASP project.

It's hard to pitch it right. In some places I think you're too
prescriptive (e.g. 1 hour expiry on password reset messages) - different
sites will have different security requirements. Still, this document
needs to be quite prescriptive - a generic statement "Provide secure
authentication services" is not really helpful.

I wonder if you'd do better to remove references to specific frameworks
 from this document. You can have separate documents like "A review of
Django against the OWASP Web Framework Manifestor".

One tough issue, and this applies particularly to injection attacks, is
the ability of programmers to call low-level APIs. A framework should
provice a high-level API that is resistant to SQL injection. But
internally it has to use a low-level API that is vulnerable. How do you
restrict access to that? Is it enough to just mention this in the docs,
the idea being that we've at least made it harder for developers to
create insecure code? Do we need code review tools that will highlight
this? Or do we need runtime enforcement that compartmentalises code and
enforces this?

Some specifics you could add:
Prevention of JS hijacking
Captchas to prevent password brute forcing
Obfuscation of field names
An authorization system that understands horizontal segregation
Anti-spam techniques

Best wishes,

Paul
-- 
Paul Johnston
IT Security Consultant
Pentest Limited

Office: +44 (0) 161 233 0100
Fax:    +44 (0) 161 233 0990
Mobile:    +44 (0) 7817 219 072

Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Follow-Ups:
- Re: [WEB SECURITY] Secure Web Application Framework Manifesto
  - From: Rohit Sethi

References:
- [WEB SECURITY] Secure Web Application Framework Manifesto
  - From: Rohit Sethi

Prev by Date: RE: [WEB SECURITY] Secure Web Application Framework Manifesto
Next by Date: [WEB SECURITY] Cross Site Identification (CSID) attack. Description and demonstration.
Previous by thread: RE: [WEB SECURITY] Secure Web Application Framework Manifesto
Next by thread: Re: [WEB SECURITY] Secure Web Application Framework Manifesto
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site