[Owasp-ajax] Ajax Security Project Roadmap (resend)
anurag.agarwal at yahoo.com
anurag.agarwal at yahoo.com
Mon Apr 9 16:34:00 EDT 2007
As it has been discussed several times on various other articles, presentations, discussions, etc, Ajax by itself does not have security vulnerabilities. Although it has the potential to enhance the damage that can be caused by the existing vulnerabilities. So i would suggest changing the
Identify short list of top Ajax security vulnerabilities.
to mapping OWASP top ten for Ajax
thoughts?
Cheers,
Anurag Agarwal
SEEC - An application security search engine
Web: www.attacklabs.com , www.myappsecurity.com
Email : anurag.agarwal at yahoo.com
Blog : http://myappsecurity.blogspot.com
----- Original Message ----
From: Rohini Sulatycki <rsulatycki at vml.com>
To: owasp-ajax at lists.owasp.org
Sent: Monday, April 9, 2007 6:56:08 AM
Subject: [Owasp-ajax] Ajax Security Project Roadmap (resend)
Resending in case this email didn’t reach everyone on the list:
Hi all:
As the new lead of the OWASP Ajax security project I thought that I would get the discussion started on putting together a roadmap for this project. Luckily I found a lot of information on this topic in the mailing list discussions from last year.
It would be great if everyone would take a look at the proposed roadmap and provide your feedback. If we can all agree on the items on the roadmap and prioritize them then we can get to work on the individual items. Also, if there are particular items that you are interested in working on or are already working on then let us know. I am looking forward to working with you all!
Ajax Security Project Roadmap (proposed)
Informational
Identify short list of top Ajax security vulnerabilities.
Detail Ajax functionalities which can be used in a malicious way. For e.g. realtime keylogging.
Provide detailed interpretation of security principles, vulnerabilities, countermeasures for Ajax applications
Build and maintain a database of Ajax vulnerabilities
Start an Incident database where for hacking incidents using Ajax only. Like samy work
Provide security audit of all major Ajax frameworks e.g. Atlas, GWT, backbase
Guidance
Complete Ajax Chapter of OWASP Guide.
Provide sample Code
Secure Coding guidelines (without frameworks or toolkits)
Create an Ajax Security Engine (like struts input validation API
Provide an awareness Plan
Develop/enhance testing tools
Standards
Align efforts with OpenAjax Alliance security TF: http://www.openajax.org/member/wiki/Security_TF
Assemble a team of experts from the most prominent open or closed source Ajax toolkit vendors
Invite members from the browser manufacturers as their participation would be paramount in securing the client side
Industry representatives from high-security (e.g. banking) institutions
Define the most fundamental issues (together) and work out solutions to these issues and create a certification program for vendors that would demonstrate their commitment to user security
Thank you,
Rohini Sulatycki | VML | Technical Architect
250 Richards Road | Kansas City , MO 64116 | (: 816.218.3168 | 7: 816.283.0954 | *: rsulatycki at vml.com
This transmission is confidential and intended solely for the party to whom it is addressed. If the reader of this email is not the intended recipient, you are hereby notified that it may contain privileged, confidential and trade secret information, and that any dissemination, distribution, copying or use of the information in this transmission is strictly prohibited. If you have received this transmission in error, please immediately notify the sender at the email address above, and delete all copies of it from your computer
_______________________________________________
Owasp-ajax mailing list
Owasp-ajax at lists.owasp.org
http://lists.owasp.org/mailman/listinfo/owasp-ajax
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-ajax/attachments/20070409/b70db3c0/attachment.html
More information about the Owasp-ajax
mailing list