[Owasp-dotnet] OWASP .NET Project Weekly Update (Week Ending4/12/2008)

Jeff Williams jeff.williams at aspectsecurity.com
Tue Apr 15 23:45:54 EDT 2008 

Hi - just so we're all clear, ESAPI is *not* a framework - it's a
library of all the security methods that a typical web developer might
need.  It covers authentication, access control, canonicalization, input
validation, encoding, logging, encryption, http utilities, and even some
basic intrusion detection.  The idea is that these foundational building
blocks can be used from just about any framework.

 

Most people know not to develop their own encryption, that would be
crazy.  Well the same thing is true for all the other security
mechanisms too.  We've got to stomp out "homegrown" security controls.
That's what we're trying to achieve with the ESAPI project.  Check it
out!

 

--Jeff

 

From: owasp-dotnet-bounces at lists.owasp.org
[mailto:owasp-dotnet-bounces at lists.owasp.org] On Behalf Of Mark Roxberry
Sent: Tuesday, April 15, 2008 11:26 PM
To: michaelslists at gmail.com
Cc: owasp-dotnet at lists.owasp.org; Eoin
Subject: Re: [Owasp-dotnet] OWASP .NET Project Weekly Update (Week
Ending4/12/2008)

 

Here's my perspective,

 

	personally i look at something like the esapi and think 'well
when
	would i use it?' [and honestly, i also think 'well, do i trust
it to
	do a better job then me?].

 

You hit 2 items right off the bat:

 

1.  RE: When would I use it - I reckon we need something like a handbook
- which is the direction I'm heading with the OWASP .NET Project site.
I think it is a challenge for heavy technical security developers to
bridge the gap to business developers that need security guidance.
We're too entrenched for our own good sometimes (at least I am).
Guidance needs to be a priority.

 

2.  RE: Trusting the tools to do a better job than me - good point, and
why open source and loosely coupling our tool designs is important.  I
expect that OWASP developers like yourself are doing a better job than
me on my own (OWASP is an open source community and has qualified
standards - alpha, beta, release for its projects).  But if not, I would
hope I can rip and replace code.  If you haven't already, check out
plugin and provider development in .NET in the Code magazine article,
Design for Extensibility
<http://www.code-magazine.com/article.aspx?quickid=0801041&page=1> .
I've pushed this on a few folks - interestingly enough I haven't threat
assessed it (yeah, I'm putting this on the Project Wishlist
<https://www.owasp.org/index.php/.NET_Project_Wishlist> , so feel free
to analyze it with that in mind.  Also, using policy injection /
dependency injection (Unity, Castle.Windsor, Spring.NET) - we can create
even more loosely coupled tools.

 

Someday I'll learn not to be so verbose - 

 

 

 

On Tue, Apr 15, 2008 at 9:51 PM, silky <michaelslists at gmail.com> wrote:

On Wed, Apr 16, 2008 at 11:46 AM, Mark Roxberry
<mark.roxberry at owasp.org> wrote:
> Hey Jason,
>
> I'll check the archives to see when that was brought up - maybe the
poster
> is deep in code oblivious to our concerns.
>
> Regarding FxCop and ESAPI and other tools, I think we need many tools
and a
> simplified process to apply those tools.  I like the idea of ESAPI
> (*disclaimer* I have not seen the actual implementation, I have read
the
> docs).  If anyone is familiar with PHP, there's a quick start solution
kit
> called CodeIgniter http://codeigniter.com/ - (not shilling, don't care
that
> much right now about it, but the idea).  With Codeigniter - you unpack
the
> code literally and are ready to go with a PHP MVC model.  Not security
based
> I know - but it is an intersectional idea.  Do we have something like
that
> for ASP.NET <http://asp.net/>  / Silverlight / ASP.NET
<http://asp.net/>  MVC?  Drop the code in place and I have
> my ASP.NET <http://asp.net/>  membership provider, SQL express
database, etc.  Is ESAPI the
> project that *should* be that?  Basically enterprise practices rolled
out
> for any developer?  Feel free to correct my assumption.
>
> Bringing this update thread back around,  I'm interested in how we can
> address concerns across the .NET ecosystem - right, so what types of
things
> does your hobbyist web developer need, or your independent small / mid
size
> ISV need?  What do consultants pulled into a job need?  What do the
> enterprise folks need?  All of these scenarios represent our community
who
> we should support (IMO).

agreed.

personally i look at something like the esapi and think 'well when
would i use it?' [and honestly, i also think 'well, do i trust it to
do a better job then me?].

this is why, for the .net model, i was thinking of projects along the
lines of re-implementing (securely) 'chunks' of things that the net
framework has. like the secure membership provider plan. then you
could also put out a bunch of security-minded validators maybe. etc.

*shrug*

just my rambling thoughts on the matter.


> 2 cents.
>
> -rox

--

http://lets.coozi.com.au/

There's not a problem I can't fix, because I can do it in the mix.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-dotnet/attachments/20080415/f823a87b/attachment-0001.html

More information about the Owasp-dotnet mailing list