[Owasp-leaders] Where Strong Authentication Fails and What You Can Do
Dave Wichers
dave.wichers at owasp.org
Tue Feb 16 14:07:11 EST 2010
Marco,
I think Mike's suggestions are good (in terms of cross OWASP project
coordination.). I don't think you need to work on either of these instead of
what you are proposing, unless you want to. However, what I would love to
see is the results of your project end up in ESAPI and the Dev Guide, and
maybe the testing and code review guides as well.
I think you should organize your project as you see fit (since its your
project and volunteer time, which we appreciate). But I think ultimately
getting the results of this kind of work into the Guides and ESAPI will
serve as a great platform to get your results to a wider audience, which is
ultimately the goal, I think, for most OWASP projects.
For example, Michael Coates has his AppSensor project. First, he did a bunch
of research and wrote a paper and did some conference presentations. Then he
built a sample application and a set of routines to do what he proposed in
the paper, and now he is integrating the AppSensor routines into ESAPI. I
think this is great for his project, and great for ESAPI as well.
-Dave
-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Boberski,
Michael [USA]
Sent: Tuesday, February 16, 2010 1:29 PM
To: owasp-leaders at lists.owasp.org; Marco M. Morana
Cc: Giorgio Fedon
Subject: Re: [Owasp-leaders] Where Strong Authentication Fails and What You
Can Do
Or actually... Consider contributing to the next Development Guide, for
which work has recently gotten underway:
http://owasp-development-guide.googlecode.com/files/development-guide-contri
buting.pdf
E.g., consider joining the authentication team:
http://code.google.com/p/owasp-development-guide/wiki/ProjectManagement_Assi
gnments
FWIW
Best,
Mike B.
-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Boberski,
Michael [USA]
Sent: Tuesday, February 16, 2010 1:01 PM
To: owasp-leaders at lists.owasp.org; Marco M. Morana
Cc: Giorgio Fedon
Subject: Re: [Owasp-leaders] Where Strong Authentication Fails and What You
Can Do
Perhaps alternately, why not contribute to the ESAPI project, developing RSA
token/etc. authentication modules? I personally for example need ESAPI code
more than research. ESAPI provides implicit guidance on the "right" way to
do positive authentication etc.
FWIW
Best,
Mike B.
-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Matteo Meucci
Sent: Tuesday, February 16, 2010 12:57 PM
To: Marco M. Morana
Cc: Giorgio Fedon; owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Where Strong Authentication Fails and What You
Can Do
Hi Marco,
I think it is an excellent idea, OWASP needs this kind of project.
Why don't you start and lead a new project about it? Giorgio and I would
like to contribute as well.
Thanks,
Mat
On Mon, Feb 15, 2010 at 1:25 PM, Eoin <eoin.keary at owasp.org> wrote:
> Thanks for this,
> May be an idea to add to the authentication cheat sheet, I am
> currently doing.
>
>
> On 13 February 2010 23:14, Marco M. Morana <marco.m.morana at gmail.com>
wrote:
>>
>> Interesting Report From Gartner on the Weaknesses of Strong
>> Authentication
>> (MFA):
>> http://www.gartner.com/resources/173100/173132/where_strong_authentic
>> ation__173132.pdf
>>
>>
>>
>> I have been preaching about correcting these weaknesses of MFA (Multi
>> factor Authentication) in the last years in several talks I also did
>> with Tony UcedaVelez (OWASP Atlanta Chair) for OWASP in Los Angeles
>> and Cincinnati
>>
>>
>>
>> Maybe now that we have Gartner releasing this report we will have
>> some ears opening in the banking and financial industry?
>>
>>
>>
>> I think OWASP can catch the opportunity momentum for a new
>> guideline/project on how to implement strong authentication for the
>> banking on-line applications?
>>
>>
>>
>> Regards
>>
>> Marco M.
>>
>>
>>
>> OWASP Cincinnati Chapter Lead
>>
>> Writing Secure Software Author
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
>
> --
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
>
> http://asg.ie/
> https://twitter.com/EoinKeary
>
--
Matteo Meucci
OWASP-Italy Chair, CISSP, CISA
http://www.owasp.org/index.php/Italy
OWASP Testing Guide lead
http://www.owasp.org/index.php/Testing_Guide
_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders
_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders
_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders
More information about the OWASP-Leaders
mailing list