[OWASP-GUIDE] Frameworks (.NET and J2EE) and Langauage Chapters

Andrew J. Downum andrew at psiqueue.com
Mon Dec 30 17:27:06 EST 2002 

I think it is worth putting a brief mention about managed code in.  It
is certainly significant how managed code protects from BOF attacks, and
even more important to be very clear about which exploits managed code
does NOT defend against.  I think there is a common misunderstanding
that managed code=automatically safe from attack.

Absolutely, .NET allows the use of server components on an application
tier, the best way to go about this is using .NET remoting (assuming you
are that both the tiers involved are using .NET) though web services are
also an option.  You are correct that most of the published samples for
.NET do not demonstrate this technique, and resort more to monolithic
pages.

My only concern with adding this into the document is that there again
is a whole can of worms associated with securing remoted calls, which
really couldn't be done justice in a few paragraphs.  Perhaps this is
the kind of thing we could reference external documentation on?

 ~ Andrew

-----Original Message-----
From: Mark Curphey [mailto:mark at curphey.com] 
Sent: Monday, December 30, 2002 3:22 PM
To: owasp-guide at lists.sourceforge.net
Subject: RE: [OWASP-GUIDE] Frameworks (.NET and J2EE) and Langauage
Chapters

Andrew

This looks great really great. 

Is it worth discussing managed code ?

One thing I am personally confused about with on .NET is that I assume
you can write server components that run on an application tier (like a
servlet proxies from web tier) but all the documentation I can find
really deals with model 1 type dynamic pages. Is it worth a paragraph or
two on this ?


On Mon, 2002-12-30 at 14:16, Andrew J. Downum wrote:
> I think that the most important thing here is to keep the scope of
these
> chapters highly targeted to what our readers really care about.  J2EE
> and .NET both have nuances which could only be exhaustively discussed
in
> a document larger than the entire OWASP, so we need to make sure we
are
> getting to the meat of Web Application Security.
> 
> For .NET I think this means the following:
> 
> 1. ASP.NET Authentication methods
> 	a. Forms
> 	b. Windows
> 	c. Passport
> 	d. Custom
> 	e. None (RFC 2410) :)
> 2. ASP.NET Authorization
> 	a. Administrative (through web.config)
> 	b. Programmatic
> 	c. Declarative
> 3. ADO.NET (Data Access)
> 	a. Database connection authentication 
> 	b. Stored Procedures/Prepared statements (@ syntax)
> 4. Input Validation
> 	a.
> (Compare/RequiredField/Range/RegularExpression/Custom)Validator
> 	b. Server-side vs. client side
> 5. Storing Sensitive data on the server
> 	a. Cryptography
> 	b. web.config storage
> 6. Session Management
> 	a. Cookie/Munged URL
> 7. ViewState
> 	a. Encryption hashing...
> 	b. Difference between server and client storage 
> 8. Server Control Design considerations
> 	a. XSS
> 
> ~ Andrew
> 
> -----Original Message-----
> From: Mark Curphey [mailto:mark at curphey.com] 
> Sent: Monday, December 30, 2002 2:48 PM
> To: owasp-guide at lists.sourceforge.net
> Subject: RE: [OWASP-GUIDE] Frameworks (.NET and J2EE) and Langauage
> Chapters
> 
> OK thanks Chris, sorry about that, my bad.
> 
> We have you assigned for Java language and MVC only then.
> 
> Apurv mailed me and volunteered for J2EE so I have assigned it to him.

> 
> Andrew Downum also let me know my mail is stuffed (which I suspected
so
> sorry about that Andrew) and is still on for the .NET stuff which is
> great.
> 
> I guess it would be useful for you two (Andrew and Apurv) or us all to
> discuss what we expect from the frameworks section ?
> 
> Heres my first thoughts:
> 
> Intro Discussion on how frameworks can take the effort out of
> development by introducing re-usable trusted components, encapsulating
> functionality etc 
> 
> Then for each of the two major ones we have planned .NET and J2EE an
> overview, the main features, the main security concepts etc
> 
> So for J2EE I guess the J2EE stack (EJB, servlets, jsps, JVM etc),
> security manager, class loaders etc (ie security architecture)
> 
> .NET would be asp.net, ado.net, the clr, cts etc, class libraries....
> 
> Maybe for each we could discuss things like auth and session
management
> (httpSessionContext and .NET equiv etc)?
> 
> I know thats kinda a very high level but is that what everyone else
was
> thinking ? 
> 
> 
> On Mon, 2002-12-30 at 11:39, Christopher Todd wrote:
> > To be honest, Mark, I do not think I can do all three of the
sections
> you've
> > assigned to me, particularly since I only volunteered for one - the
> Java
> > language section.  I will try to tackle the MVC section, as I
> understand
> > those concepts, and have some experience with them.  But with
respect
> to
> > J2EE, I've never used EJBs or JAAS (or many of the J2EE APIs), and I
> have
> > never performed a security review of an application that used EJBs
or
> JAAS,
> > so I am probably not the person to be talking about J2EE.
> > 
> > I will try to submit my Java language section in the next couple of
> days.
> > 
> > Chris
> > 
> > > -----Original Message-----
> > > From: owasp-guide-admin at lists.sourceforge.net
> > > [mailto:owasp-guide-admin at lists.sourceforge.net]On Behalf Of Mark
> > > Curphey
> > > Sent: Sunday, December 29, 2002 9:37 PM
> > > To: owasp-guide at lists.sourceforge.net
> > > Subject: [OWASP-GUIDE] Frameworks (.NET and J2EE) and Langauage
> Chapters
> > >
> > >
> > > Do the authors of these sections want to submit a chapter outline
to
> the
> > > list and CVS so we can discuss ?
> > >
> > > I still haven't heard from the .NET (Andrew Downum) so its all up
> for
> > > grabs if anyone else is interested ;-) (Andrew, If I missed your
> mails
> > > for whatever reason I apologize)
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > This sf.net email is sponsored by:ThinkGeek
> > > Welcome to geek heaven.
> > > http://thinkgeek.com/sf
> > > _______________________________________________
> > > Owasp-guide mailing list
> > > Owasp-guide at lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/owasp-guide
> > 
> > 
> > 
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Owasp-guide mailing list
> > Owasp-guide at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/owasp-guide
> > 
> 
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Owasp-guide mailing list
> Owasp-guide at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-guide
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Owasp-guide mailing list
> Owasp-guide at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-guide
> 




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Owasp-guide mailing list
Owasp-guide at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owasp-guide

More information about the Owasp-guide mailing list