[Esapi-dev] [Owasp-leaders] Feedback on Potential New OWASPProject
Paul Apostolescu
apbogdan at gmail.com
Fri Jan 22 13:59:01 EST 2010
Juan,
I will use the current ESAPI .NET version, not the classic ASP one. IMO
resource wise (and not only) it makes more sense to support them both on the
same code base.
Paul
On Fri, Jan 22, 2010 at 1:48 PM, Calderon, Juan Carlos (GE, Corporate,
consultant) <juan.calderon at ge.com> wrote:
> I think the best way is that you give the current release a look at
> Google code. The .NET code was "enhanced" with the necessary attributes and
> changes for .NET interop to be registered as an ActiveX and then loaded in
> classic ASP pages CreateObject calls.
>
> Google Code Repository
> http://code.google.com/p/owasp-esapi-classicasp/
>
> Also here you have the .NET Code in a downloadable zip file
> http://www.owasp.org/index.php/File:OWASP_Classic_ASP_ESAPI.zip
>
> And a sample ASP page that calls the available functions, notice by the
> comments what functions are not implemented and why.
> http://www.owasp.org/index.php/File:Default.zip
>
> All these links are available from the Project Page
> http://www.owasp.org/index.php?title=Classic_ASP_Security_Project
>
> Regards and feel free to send me any doubt you might have off-list not to
> spam our fellow list members :),
> *Juan C Calderon*
>
>
> ------------------------------
> *From:* Paul Apostolescu [mailto:apbogdan at gmail.com]
> *Sent:* Jueves, 21 de Enero de 2010 05:16 p.m.
>
> *To:* Calderon, Juan Carlos (GE, Corporate, consultant)
> *Cc:* Boberski, Michael [USA]; Jim Manico; Jeff Williams;
> esapi-dev at lists.owasp.org
> *Subject:* Re: [Esapi-dev] [Owasp-leaders] Feedback on Potential New
> OWASPProject
>
> Juan,
>
> Let's give it a try, I will start looking into what is the best way to
> expose the current .NET ESAPI implementation via COM. I'm not sure in what
> kind of issues you ran into due to polymorphism, method overload will
> definitely be a problem but not a show stopper - we can either rename the
> methods or simply create a special wrapper library for COM consumption only
> (which may be the best option).
>
> It will be good if you could send me offline specific examples of what did
> not work in the previous version so we have a clearer understanding of what
> kind of problems can be expected.
>
> Thanks
> Paul
>
> On Thu, Jan 21, 2010 at 2:10 PM, Calderon, Juan Carlos (GE, Corporate,
> consultant) <juan.calderon at ge.com> wrote:
>
>> Hello Paul
>>
>> I don't like the idea of re-building ESAPI for VB, it is like stepping
>> back in terms of technology. But the effort and problems I faced with with
>> the modified version of ESAPI.NET were a lot, and worse yet, we end up
>> with something non usable in the real world, which was my objective from the
>> beginning.
>>
>> In order to make ESAPI for .NET available for classic ASP pages as
>> ActiveX we used .NET Interop, but there are a lot of restrictions and
>> undocumented behaviors for making it work. For example, Interop does not
>> support polymorphism, so we had to rename methods to make them compatible.
>> Also not all the .NET data types are supported by interop wrapper, so we had
>> to modify more methods, some methods were not even able to be implemented as
>> they were defined for ESAPI.NET.
>>
>> Besides all that, some people were not able to make the library work on XP
>> environments (I was using Vista for the development) even updated and more
>> neutral versions of the code did not run for some reason. Error codes had no
>> or senseless descriptions and step by step debug is not available when using
>> interop. I faced functions that run perfectly with a ASP.NET page call
>> and simply fail when called from Classic ASP page in the same server :S
>>
>> So I came up to the conclusion that if I want to make the ESAPI for
>> Classic ASP work I had to rewrite it in VB, I will rewrite it from the
>> latest version in Java (that is the leading project) not from the current
>> version I have. I mean If I am making the effort, I will go with the latest
>> version.
>>
>> If you or someone else in the team is very proficient in .NET and want to
>> make .NET interop another change, I will be willing to try again. Otherwise,
>> I will go for the rewrite.
>>
>> Any comment Paul / List?
>>
>> Regards,
>> *Juan C Calderon*
>>
>>
>> ------------------------------
>> *From:* Paul Apostolescu [mailto:apbogdan at gmail.com]
>> *Sent:* Jueves, 21 de Enero de 2010 10:55 a.m.
>>
>> *To:* Calderon, Juan Carlos (GE, Corporate, consultant)
>> *Cc:* Boberski, Michael [USA]; Jim Manico; Jeff Williams;
>> esapi-dev at lists.owasp.org
>>
>> *Subject:* Re: [Esapi-dev] [Owasp-leaders] Feedback on Potential New
>> OWASPProject
>>
>> Juan,
>>
>> AFAIK the ESAPI for classic ASP was branched from a previous version of
>> ESAPI .NET and instead of creating a new version ideally it will be better
>> if we can combine our efforts and make the current .NET version work for
>> classic ASP as well. Currently there is no installer but we can provide one
>> that takes care of deploying the required dependencies independent of the OS
>> version. Is that going to help ?
>>
>> Thanks
>> Paul
>>
>> On Thu, Jan 21, 2010 at 11:28 AM, Calderon, Juan Carlos (GE, Corporate,
>> consultant) <juan.calderon at ge.com> wrote:
>>
>>> Just FYI, I am working on create a new version of ESAPI for Classic ASP
>>> using (god forgive me) ActiveX DLLs, to make it more compatible with ASP
>>> technology, the first release was using a modified version of ESAPI.NET+ Interop but that really didn't go. The few that dare to try implement it
>>> desisted due to the complexities of installation and OS version oddities.
>>>
>>> My first position was to avoid close technologies since you need to buy a
>>> VB IDE/]Compiler from MS to be able to make an ActiveX. But recently I was
>>> advised that there is an free VB IDE from Microsoft that is restricted to
>>> only compile ActiveX (no EXEs). But that is exactly what I needed, something
>>> we can offer free and that is native to the technology.
>>>
>>> So just FYI, It won't be quick as It might take to me a few months to
>>> develop given my workload and that I have to totally rewrite the ESAPI for
>>> VB6 (wish me luck). But I am pretty confident that this new version will be
>>> much more reliable and more over usable to the community.
>>>
>>> Regards,
>>> *Juan C Calderon*
>>>
>>> ------------------------------
>>> *From:* Boberski, Michael [USA] [mailto:boberski_michael at bah.com]
>>> *Sent:* Jueves, 21 de Enero de 2010 08:55 a.m.
>>> *To:* Calderon, Juan Carlos (GE, Corporate, consultant); Jim Manico
>>>
>>> *Cc:* Jeff Williams; esapi-dev at lists.owasp.org
>>> *Subject:* RE: [Esapi-dev] [Owasp-leaders] Feedback on Potential New
>>> OWASPProject
>>>
>>> I encourage people to explore the PHP baseline, and if they have any
>>> precious developer cycles to spare, there's plenty of work to do, just drop
>>> me a line! There's an opportunity in particular to implement new/planned
>>> features for ESAPI for Java 2.x/3.x without having to carry along
>>> legacy/deprecated functionality since we're still very much in development
>>> of a first complete release, which is exciting.
>>>
>>> Mike B.
>>>
>>>
>>> ------------------------------
>>> *From:* Calderon, Juan Carlos (GE, Corporate, consultant) [mailto:
>>> juan.calderon at ge.com]
>>> *Sent:* Thursday, January 21, 2010 9:42 AM
>>> *To:* Jim Manico; Boberski, Michael [USA]
>>> *Cc:* Jeff Williams; esapi-dev at lists.owasp.org
>>> *Subject:* RE: [Esapi-dev] [Owasp-leaders] Feedback on Potential New
>>> OWASP Project
>>>
>>> Great!, It would be good to see how current PHP baseline configurations
>>> might be used for Java and .NET applications
>>>
>>> BTW count on me to do the XSL for the enumeration/listing of the
>>> properties if you need a hand, I have some experience with it
>>>
>>> Regards,
>>> *Juan C Calderon, CSSLP*
>>>
>>> ------------------------------
>>> *From:* Jim Manico [mailto:jim.manico at owasp.org]
>>> *Sent:* Jueves, 21 de Enero de 2010 07:25 a.m.
>>> *To:* Boberski, Michael [USA]
>>> *Cc:* Jeff Williams; Calderon, Juan Carlos (GE, Corporate, consultant);
>>> esapi-dev at lists.owasp.org
>>> *Subject:* Re: [Esapi-dev] [Owasp-leaders] Feedback on Potential New
>>> OWASP Project
>>>
>>> Thank you Juan Carlos. This is a good idea. I added this to the issue
>>> tracker here
>>>
>>> http://code.google.com/p/owasp-esapi-java/issues/detail?id=93
>>>
>>> --
>>> Jim Manico
>>> OWASP Podcast Host/Producer
>>> OWASP ESAPI Project Managerhttp://www.manico.net
>>>
>>>
>>>
>>> FYI, it's actually what we do on ESAPI for PHP!
>>>
>>> Mike B.
>>>
>>>
>>> ------------------------------
>>> *From:* esapi-dev-bounces at lists.owasp.org [
>>> mailto:esapi-dev-bounces at lists.owasp.org<esapi-dev-bounces at lists.owasp.org>]
>>> *On Behalf Of *Jeff Williams
>>> *Sent:* Wednesday, January 20, 2010 6:15 PM
>>> *To:* 'Calderon, Juan Carlos (GE, Corporate, consultant)'
>>> *Cc:* esapi-dev at lists.owasp.org
>>> *Subject:* Re: [Esapi-dev] [Owasp-leaders] Feedback on Potential New
>>> OWASP Project
>>>
>>> That makes a lot of sense. Would you be so kind as to add a feature
>>> request into the ESAPI Google Code issue tracker?
>>>
>>> --Jeff
>>>
>>> *From:* Calderon, Juan Carlos (GE, Corporate, consultant) [
>>> mailto:juan.calderon at ge.com <juan.calderon at ge.com>]
>>> *Sent:* Wednesday, January 20, 2010 4:32 PM
>>> *To:* Jeff Williams
>>> *Subject:* RE: [Owasp-leaders] Feedback on Potential New OWASP Project
>>>
>>> Hello Jeff
>>>
>>> ESAPI config file is in properties format, which makes sense for a Java
>>> application but if it was in XML, it might be possible to port it to
>>> applications in .NET, Cold Fusion, etc. So baseline configuration files
>>> could be created at the same time a simple XSL file could create a nice HTML
>>> version of the configuration file for purposes like this one.
>>>
>>> What do you think?
>>>
>>> Regards,
>>>
>>> *Juan C Calderon*
>>>
>>> ------------------------------
>>>
>>> *From:* owasp-leaders-bounces at lists.owasp.org [
>>> mailto:owasp-leaders-bounces at lists.owasp.org<owasp-leaders-bounces at lists.owasp.org>]
>>> *On Behalf Of *Jeff Williams
>>> *Sent:* Miércoles, 20 de Enero de 2010 03:30 p.m.
>>> *To:* owasp-leaders at lists.owasp.org
>>> *Subject:* Re: [Owasp-leaders] Feedback on Potential New OWASP Project
>>>
>>> I’d love to know about the security controls that are in place, what
>>> libraries are used by the software, and their configurations. The ESAPI
>>> configuration file<http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/resources/.esapi/ESAPI.properties>is a good starting point for things to report out.
>>>
>>> From a non-technical perspective, I’d also like to know about the
>>> developers, process, tools, CM, etc…
>>>
>>> --Jeff
>>>
>>> *From:* owasp-leaders-bounces at lists.owasp.org [
>>> mailto:owasp-leaders-bounces at lists.owasp.org<owasp-leaders-bounces at lists.owasp.org>]
>>> *On Behalf Of *Sethi, Rohit
>>> *Sent:* Wednesday, January 20, 2010 4:00 PM
>>> *To:* owasp-leaders at lists.owasp.org
>>> *Subject:* Re: [Owasp-leaders] Feedback on Potential New OWASP Project
>>>
>>> Jeff, what specific configuration items would you suggest? For example,
>>> James mentioned a list of user roles. I could imagine including data about
>>> container-managed authentication and sessions, as well as encryption
>>> providers (in the case of Java). If somebody adopts the manifesto, then we
>>> could apply other configuration data like the input validation configuration
>>> for each interface type. What else would you recommend?
>>>
>>> *Rohit Sethi*
>>>
>>> *Director, Professional Services*
>>>
>>> *Security Compass*
>>>
>>> http://www.securitycompass.com
>>>
>>> Direct : 888-777-2211 ext. 102
>>>
>>> Mobile: 732.546.4473
>>>
>>> Twitter: rksethi
>>>
>>> *From:* owasp-leaders-bounces at lists.owasp.org [
>>> mailto:owasp-leaders-bounces at lists.owasp.org<owasp-leaders-bounces at lists.owasp.org>]
>>> *On Behalf Of *Jeff Williams
>>> *Sent:* Wednesday, January 20, 2010 11:35 AM
>>> *To:* owasp-leaders at lists.owasp.org
>>> *Subject:* Re: [Owasp-leaders] Feedback on Potential New OWASP Project
>>>
>>> 2. My interpretation of adaptive access is that your access depends on
>>> how you connect. Are you at your desk on the intranet? Or via a VPN
>>> connection? Or on your iPhone? Or in a hostile foreign country? Carrier
>>> pigeon? etc… You might require stronger authentication or you might limit
>>> access depending on the context. Adaptation might not only be limited to
>>> the user, you might adapt access based on other context, such as time of
>>> day, current security alert level, weather, etc… If you’re thinking of
>>> doing this, remember that implementing the contextual information and the
>>> actual access checks isn’t the hard part. The difficulty is managing all the
>>> data and rules in a scalable way.
>>>
>>> 3. I really like the idea of a “Visibility API”. Applications should
>>> have interfaces that 1) report on security configuration, 2) identify
>>> possible misconfiguration, and 3) possibly even enable security testing.
>>> This really goes right to the heart of the problem with applications
>>> security – nobody has any idea how secure or insecure the apps they’re using
>>> are. Ivan Ristic’s SSL Labs<https://www.ssllabs.com/ssldb/analyze.html?d=owasp.org>project is doing a fantastic job at making security visible. But wouldn’t
>>> it be easier and better to report this from the inside? Why shouldn’t an
>>> application provide it’s own “Software Facts<http://www.aspectsecurity.com/documents/Aspect_HCSS_Brief.ppt>”
>>> label?
>>>
>>> --Jeff
>>>
>>> *From:* owasp-leaders-bounces at lists.owasp.org [
>>> mailto:owasp-leaders-bounces at lists.owasp.org<owasp-leaders-bounces at lists.owasp.org>]
>>> *On Behalf Of *Sethi, Rohit
>>> *Sent:* Wednesday, January 20, 2010 9:53 AM
>>> *To:* owasp-leaders at lists.owasp.org
>>> *Subject:* Re: [Owasp-leaders] Feedback on Potential New OWASP Project
>>>
>>> 1. James, I like the idea of adding more specific guidance around
>>> database interaction. We’ll probably have to spend time investigating this
>>> before adding it into the next release. As Dinis said, let’s start with a
>>> primary focus on presentation tier and then move forward if we’re successful
>>> in getting the manifesto adopted
>>>
>>> 2. If I understand your comment about adaptive access, I think this
>>> is referring to something along the lines of IP geolocation and tying a
>>> particular session to a region (e.g. country). This warrants further
>>> investigation as well. Does anyone know of any frameworks that provide this
>>> already?
>>>
>>> 3. I think this falls outside the scope of the manifesto
>>>
>>> *Rohit Sethi*
>>>
>>> *Director, Professional Services*
>>>
>>> *Security Compass*
>>>
>>> http://www.securitycompass.com
>>>
>>> Direct : 888-777-2211 ext. 102
>>>
>>> Mobile: 732.546.4473
>>>
>>> Twitter: rksethi
>>>
>>> *From:* owasp-leaders-bounces at lists.owasp.org [
>>> mailto:owasp-leaders-bounces at lists.owasp.org<owasp-leaders-bounces at lists.owasp.org>]
>>> *On Behalf Of *McGovern, James F. (eBusiness)
>>> *Sent:* Tuesday, January 19, 2010 9:36 AM
>>> *To:* owasp-leaders at lists.owasp.org
>>> *Subject:* Re: [Owasp-leaders] Feedback on Potential New OWASP Project
>>>
>>> Still noodling enterprisey developer behavior and came across a few other
>>> scenarios:
>>>
>>> 1. I don't think we should focus solely on the MVC parts of the
>>> framework. Much of the guidance to date regarding access and persistence to
>>> data is also done insecureley. For example, if a developer decides to use
>>> Hibernate, should a DBA still do DB security? of course, but the challenge
>>> here is one of moving things higher up into the application. Taking this
>>> thought one step deeper, what should we do with the growing popularity of
>>> the Entity-Attribute-Value (EAV) style of DBs being pushed by cloud vendors,
>>> Azure and even used in many SAAS implementations. Applying grant/revoke to
>>> third-normal form databases no longer applies and requires a framework in
>>> the app to get the right security model.
>>>
>>> 2. How should a framework thing about adaptive access? For example, I
>>> enter my credentials on my bank site and I am proven that my credentials are
>>> a directory entry, but I may be accessing from a different computer,
>>> possibly in another country.
>>>
>>> 3. Let's look at the reporting side of the equation and ignore runtime
>>> for a moment. We have all heard of SoX, etc. Wouldn't an auditor love a way
>>> to say enumerate all the "roles" an application supports without reading
>>> code? Could things that auditors care about be made discoverable? Its one
>>> thing to enumerate a role, but how can you define which roles are in
>>> conflict (e.g. accounts receivable vs accounts payable) and then apply the
>>> proper enforcement
>>>
>>> ------------------------------
>>>
>>> *From:* owasp-leaders-bounces at lists.owasp.org [
>>> mailto:owasp-leaders-bounces at lists.owasp.org<owasp-leaders-bounces at lists.owasp.org>]
>>> *On Behalf Of *Sethi, Rohit
>>> *Sent:* Monday, January 18, 2010 11:22 PM
>>> *To:* owasp-leaders at lists.owasp.org
>>> *Subject:* Re: [Owasp-leaders] Feedback on Potential New OWASP Project
>>>
>>> James, thanks for the continued comments. We can certainly include #1 in
>>> the next draft.
>>>
>>> Multi-tenancy is a hot topic today. With respect to application
>>> frameworks, I believe the most fundamental security concerns boils down to
>>> horizontal privilege escalation. In light of some of the suggestion from
>>> Paco Hope on SC-L, we’re thinking of narrowing rather the scope of what
>>> we’re making recommendations on for this round. I’d like to include some
>>> built-in mechanism for horizontal access control but would rather see it in
>>> practice first before recommending it broadly.
>>>
>>> Point 3 is very interesting. Deep linking is sometimes a genuine
>>> application need. That said, some web application frameworks provide page
>>> flow capabilities; one model would be to add optional page flow enforcement
>>> by tracking the user’s navigation history on the server and allowing or
>>> denying access to a given page based on the page the user is currently on.
>>> For example, a user is only allowed to access Page 3 after coming from page
>>> 2; direct access after page 1 or any other page would result in
>>> authorization failure. As I type this I’m pretty sure I’ve seen it before
>>> but can’t remember where off-hand. Does anyone know of a framework that does
>>> this automatically?
>>>
>>> As for the entitlements piece, it looks like another aspect of
>>> authorization. Should user jmcgovern have access to policy XYZ742 and not
>>> ABC153? That depends – should users of the role ‘OWASP’ have access to that
>>> policy? Should only user jmcgovern have access to that policy? Should all
>>> users who have purchased a certain coverage have access to that policy? I
>>> believe that a framework can help developers by providing ubiquitous access
>>> to authorization-relevant data, but developers ultimately need to determine
>>> authorization criteria on a case by case basis.
>>>
>>> 4 & 5 sit in that nebulous area between reliability and availability. We
>>> can certainly make an argument that these are relevant to security, but I’m
>>> worried that they only begin to scratch the surface of a much larger domain.
>>> We could probably throw things like inefficient garbage collection in the
>>> same grouping. For the first cut, we’ll probably stay away from all but the
>>> most obvious Denial of Service protections and re-evaluate what goes into
>>> the next cut.
>>>
>>> We included file upload in the last version, but we need to get more
>>> specific about it. Configuring ICAP for virus scanning seems to be a
>>> generally reasonable requirement; how often is it actually done by an
>>> application server rather than a caching or proxy server?
>>>
>>> Cheers,
>>>
>>> *Rohit Sethi*
>>>
>>> *Director, Professional Services*
>>>
>>> *Security Compass*
>>>
>>> http://www.securitycompass.com
>>>
>>> Direct : 888-777-2211 ext. 102
>>>
>>> Mobile: 732.546.4473
>>>
>>> Twitter: rksethi
>>>
>>> *From:* owasp-leaders-bounces at lists.owasp.org [
>>> mailto:owasp-leaders-bounces at lists.owasp.org<owasp-leaders-bounces at lists.owasp.org>]
>>> *On Behalf Of *McGovern, James F. (eBusiness)
>>> *Sent:* Friday, January 15, 2010 9:19 AM
>>> *To:* owasp-leaders at lists.owasp.org
>>> *Subject:* Re: [Owasp-leaders] Feedback on Potential New OWASP Project
>>>
>>> Additional feedback:
>>>
>>> 1. More enterprisey comments: First, I am probably blissfully ignorant
>>> of certain open publishing rules, but I firmly believe that all papers
>>> should contain the BIOs of the folks who have written them. I tend to like
>>> the templates for documents published by Gartner more than the IEEE stuff.
>>>
>>> 2. Can we apply some analysis to how a framework should handle
>>> multitenancy and its security considerations? For example, Liferay
>>> Enterprise Portal, eXO and others support multitenancy but have slightly
>>> different takes. Which is the better model going forward from a security
>>> perspective? Used as examples, focus on model not analysis of product. This
>>> however challenges somewhat what the definition/granuality of framework we
>>> should target.
>>>
>>> 3. A developer asked me an interesting question today in which I could
>>> only offer sage wisdom. They wanted to understand how a framework should
>>> handle deep linking. I decomposed this question into two thoughts of which
>>> the first is whether there is control on doing such a thing. You may not
>>> want deep linking where you want to control flow and at other times, you
>>> want the exact opposite. Control flow is good to prevent against business
>>> logic flaws, etc. The second part of the question is how to think about
>>> entitlements around data. For example, if you saw the link:
>>> http://www.aetna.com/medical/getmyrecord.jsp?policy=XYZ742, the obvious
>>> stuff like parameter tampering comes to mind, but how do we associate the
>>> given subject with this policy as part of a validation model.
>>>
>>> 4. Are we fans that web application frameworks may want to provide
>>> capability for graceful degradation, quiescing traffic or having a way of
>>> making certain portions of an application unavailable based on a schedule or
>>> other trigger? On one of our portals, I know we have some functions where we
>>> can support 10K concurrent where others if we had 100 users hitting
>>> simultaneously, things would break bad. What should a framework do in this
>>> regard?
>>>
>>> 5. How does a framework work in a clustered environment? Should every
>>> object be required to implement serializable or things crash?
>>>
>>> 6. If you hava a framework that builds XML on the fly, does it provide
>>> special protections for things like credit card?
>>>
>>> ************************************************************
>>>
>>> This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
>>>
>>> ************************************************************
>>>
>>> ************************************************************
>>>
>>> This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
>>>
>>> ************************************************************
>>>
>>>
>>> _______________________________________________
>>> Esapi-dev mailing listEsapi-dev at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/esapi-dev
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Esapi-dev mailing list
>>> Esapi-dev at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/esapi-dev
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-dev/attachments/20100122/1325df2d/attachment-0001.html
More information about the Esapi-dev
mailing list