[Owasp-board] Ideas for OWASP to work with Microsoft

dinis cruz dinis.cruz at owasp.org
Mon Aug 30 08:28:18 UTC 2010

(Sorry for the delay in sending this) Following the email thread a while
back on what we should be doing here at OWASP-DotNet (and while I was on the
OWASP/O2 tour), I wrote down an email to Microsoft (include below) which I
think represents all the areas we could work together and ends up with the
parts that I think we should focus here at Owasp-dotnet.

My original plan was to have sent this to you and Microsoft S before I got
to Seattle, but I was not able to pull it off (then after the tour I had a
project to complete, so only now I'm able to focus on this again)

I used the ideas that were mentioned during that email thread, and added
some of my thoughts/ideas.

So, what do you think?

Ideally we should get an agreement amongst us about these topics and then
send it as an 'open letter' to Microsoft and (with some minor modifications)
to other .NET communities (for example Mono).


OWASP is a worldwide community focused on Web Application Security and is
trying to (amongst other things) to help developers to write secure code and

OWASP has grown quite spectacularly over the past couple years (from its
humble beginning at Mark Curphey's Coffee table), and is now a well
respected community of worldwide application security experts focused on Web
Application Security.

Traditionally there has been very little involvement between OWASP and
Microsoft (same problem happens for example with OWASP Java project and
Sun/Oracle, with OWASP and the PHP community , etc....), but we really
should try to reset this relationship and figure out a way to work better.

Here are some ideas of where OWASP and Microsoft could collaborate:


   *Participation of Microsoft at OWASP Conferences:*

      For example Steve Lipner was a KeyNote speaker at our last European
      conference and there are a number of forthcoming conferences
that Microsoft
      could participate: *Irvine CA* (Sep) (main OWASP conference in the
      US), *Ireland* (Sep), *Germany* (Oct), *Rochester NY *(Oct),
      *Austin TX (*Oct), *Washington DC* (Nov), *Brazil SP* (Nov), *Portugal
      *(Nov), *BeNeLux NL* (Dec)

   “*OWASP/.NET Security” tour of OWASP Chapters*

      OWASP has currently a large number of active chapters (spread around
      the world) that meet regularly to discuss web application
security issues.
      In order to maximize impact and minimize efforts, we could work
together in
      an OWASP/.NET tour where a number of Microsoft employees and other .NET
      security experts would deliver a serious of presentations at multiple
      chapters around the US or Europe or the World :).

   *Participation on OWASP Local Chapter Training events and (when set-up)
   the OWASP Academies*

      Following the successful London delivery “1 Day OWASP Focused”
      Training courses (free to OWASP members) OWASP has decided to
invest in this
      concept and hiring an external resource to set-up a number of follow-up
      courses deliveries in Europe (including a Tour of European Chapters). It
      would be great to have direct participation of Microsoft on the
.NET part of
      these courses.

      Note that part of the objectives of this activity is to create strong
      connections with Universities, where they would host a number of these
      courses AND one day provide the courses themselves (maybe as an OWASP
      Academy (which is just an idea at the moment))

   *ESAPI.NET project*

      The .NET port of ESAPI really needs a direct relationship with
      Microsoft. This is an area where OWASP is driving innovation in the
      Application Security space by creating a security control library (with
      Security Controls Interfaces and proof-of-concept Reference
      Implementations). See the ESAPI main page for more details, and
note that so
      far there are active ports from the original J2EE implementation
in : .NET,
      Classic ASP, PHP, ColdFusion , Python, JavaScript, Force.com,
Ruby, SwingSet

      Note that the objective of OWASP is not to deliver 'commercially
      grade' implementations of these controls, but to provide a
common language
      to describe what they should look like and reference implementations. The
      objective would be that Microsoft's own frameworks, platforms and
      applications should provide ESAPI compatible methods so that
once developers
      are knowledgeable in creating code using the ESAPI calls, they
could use it
      on the .NET's BCL, Microsoft Enterprise Library, SharePoint,
WebMatrix, Web
      Protection Library, etc...

      - Also related are the OWASP Encoding

   *OWASP Testing Guide and OWASP Code Review projects*

      These OWASP projects are creating direct guidance for security
      consultants and developers on how perform application security
reviews from
      an BlackBox (Testing Guide) and WhiteBox (Code Review) point of view. The
      first release (available as a free download or a printed book)
contains some
      .NET guidance and examples, but a lot more is needed , and since
the work on
      the next version has just started, now is the perfect opportunity to be

   *OWASP Developers Guide*

      This OWASP project is focused on creating guidance for developers on
      how to design and build security applications. This is quite an old OWASP
      project and some of its content needs a major update, the good
news is that
      work is also just started on the next version, and specially
since Microsoft
      has such a large body of work on the topic of 'Secure coding' it
is critical
      that we work together so that the target audience get the best possible

   *OWASP Security Ecosystems*

      A new idea that we are experimenting at OWASP is the concept of
      creating a place where all available security guidance about a particular
      technology, platform or even application is normalized and presented in a
      easy to consume format. See
      http://www.owasp.org/index.php/Security_Ecosystem_Project for more
      details about the concept.

   *Multiple versions of the OWASP Top 10*

      There OWASP Top 10 is probably the most famous and successful OWASP
      Project, and although it does a great job it would be great to have
      'technologic specific variations' like for example:

         OWASP Top 10 for .NET Framework

         OWASP Top 10 for SharePoint

         OWASP Top 10 for Silverlight

   *OWASP O2 Platform *

      New OWASP project which contains a number of .NET Specific innovations
      and a Static Analysis Engine. This topic will be covered on a separate

   *Threat Modeling for .NET*

      Although there is some crowds that think that Threat Modeling doesn't
      work, there has been a lot of good work+tools and ideas developed by
      Microsoft and there is a good number of OWASP leaders that have
quite a lot
      of interest in it (there are also some very interesting implications for
      threat modeling of the code artifacts created by the O2 Platform)

   *OWASP DotNet project*

      Last (but not least) is the OWASP .NET Project. Although traditionally
      there has been quite a lot of .NET related activity at OWASP
(see examples
      above), the OWASP .NET has struggled to find its place, focus
and mission.

      Part of the problem has been the large body of .Net Security Knowledge
      that Microsoft already provides, and its (the OWASP DotNet
Project) focus on
      developing tools, research and even strategic guidance that
developers are
      not that interested in

      There is currently a large debate on the owasp-dotnet mailing list
      which is trying to figure out the next steps for this project
and the view
      is that the OWASP DotNet project should focus on four areas:

         *being an active voice for Security Guidance on the 'places
         developers hang'*


            Developer Conferences

            MSDN mailing lists

         *providing security guidance on areas that the .NET developer
         community is VERY interested in:*

            Asp.Net request visualization and security mapping

            WCF visualization and security mapping

            Asp.Net MVC


            CAT.NET and FxCop


            Dynamic Languages (IronPython, IronRydy, etc..)

            WebBased APIs (Authentication, Authorization, Cloud, etc...)

            SilverLight Security (I have some question marks on this one
            since I'm not sure how big the SilverLight development
market actually is)

         *Writing .Net security Rules *(both Black and While box)

            Integrated with the multiple OWASP Guides (Testing, Code Review
            and Developer)

            Consumable by scanning tools: Cat.Net, FxCop, Gendarme, O2
            Platform, IBM, Fortify, Armorize, WebInspect, Cenzic, etc...

         *organizing .NET Security Gatherings/Summits* where clients,
         developers and security experts come together to debate and
work on .NET
         Security related issues

            OWASP is in a unique location to facilitate these meetings since
            we have active relationships with all parties and have
already a track
            record of creating very productive environments

            See for example the OWASP Summit in Portugal (
            http://www.owasp.org/index.php/OWASP_EU_Summit_2008) and OWASP
            ESAPI Summit in DC (http://www.owasp.org/index.php/ESAPI_Summit)

Hopefully amongst the ideas presented above we can find a number were we can
collaborate on the short and medium term.

Best regards

The OWASP DotNet Project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100830/6f342692/attachment-0002.html>

More information about the Owasp-board mailing list