[Owasp-board] Fwd: [Owasp-leaders] Summit 2011/OWASP Secure Coding Workshop

dinis cruz dinis.cruz at owasp.org
Sun Dec 19 11:59:08 UTC 2010


Board, see below Justin's idea to reach out to developers.

Supporting him with some marketing dollars is one of the things I would like
to do with the Summit budget (see my previous email)

Dinis Cruz

Begin forwarded message:

*From:* Justin Clarke <justin.clarke at owasp.org>
*Date:* 19 December 2010 11:16:49 GMT
*To:* dinis cruz <dinis.cruz at owasp.org>
*Cc:* Jim Manico <jim.manico at owasp.org>, John Steven <
jsteven at maladjustment.org>, John Steven <John.Steven at owasp.org>, Dan Cornell
<dan at denimgroup.com>, ChrisSchmidt <chris.schmidt at aspectsecurity.com>,
Michael Coates <mwcoates at gmail.com>, Sarah Baso <sarah.baso at owasp.org>,
Benjamin Tomhave <btomhave at geminisecurity.com>, Jack Mannino <
jack.a.mannino at gmail.com>, Jeremy Long <jeremy.long at gmail.com>
*Subject:* *Re: [Owasp-leaders] Summit 2011/OWASP Secure Coding Workshop*

I think there is crossover, but I'd prefer to make the distinctions between
tracks clearer too.

To be clear - the XSS eradication sessions are intended to be more
structured around outreach, planning agendas or local chapter outreach,
education, resources and awareness. We're specifically _not_ planning on
talking about how to better IV or OE, but how to reach the people who need
to be doing these and let them know they need to. To that end, it would be
good to reference anything coming out of the No Bull track, and plan how we
announce that (and by "announce",  I really mean spread as widely as
possible as loudly as possible until developers are sick of hearing it) and
coordinate with local chapters.

Cheers

Justin

On 16 Dec 2010, at 04:02, dinis cruz wrote:

Justin, please see the thread below and share with this group your ideas for
the XSS Eradication Track (
http://www.owasp.org/index.php/Working_Sessions_XSS_Eradication)

I think there are a lot of synergies here

Dinis Cruz

On 16 December 2010 00:36, Jim Manico <jim.manico at owasp.org> wrote:

> John,
>
> I'd like to address specific threats in this working session, like XSS. XSS
> cannot be solved with OE alone. It cannot be solved with IV alone. Both are
> needed in harmony based on several factors including type of data submitted
> and context of display.
>
> That being said, doing both topics in one hour is pushing it. In that case,
> I'd like to take OE, I think its an ultra-critical topic for webSec. Perhaps
> Chris could take on IV?
>
> Cool?
>
> -Jim Manico
> http://manico.net
>
> On Dec 15, 2010, at 10:27 AM, John Steven <jsteven at maladjustment.org>
> wrote:
>
> > Regarding OE and IV I agree that they're often interwoven and related.
> > Part of this is positive/essential and part of the mesh is failed
> > abstraction IMO.
> >
> > I actually imagined doing IV and OE (secretly topic #7 omitted from my
> > list) back to back but separately. I don't see starting with either
> > but think they need to be early on in the process.
> >
> > As we tease out the next level down in outline, I think he topic areas
> > / code to write for each will be easier to discuss. Perhaps you could
> > take one ad Chris could take the other?
> >
> >
> > Train to catch,
> > -fon jOHN
> >
> > On Dec 15, 2010, at 8:39 AM, Jim Manico <jim.manico at owasp.org> wrote:
> >
> >> Thanks John.
> >>
> >> I'm planning on extending this section to "Input Validation and Output
> Encoding". Output encoding, especially around XSS, is actually quite
> difficult to get right (IV and OE are needed in conjunction here). This is
> especially true when dealing with AJAX rich applications and social media
> application that display a great deal of untrusted data. I do hope to add
> value here.
> >>
> >> I'll certainly apply context for these major classes, that's a given.
> >>
> >> Framework integration is a bear in many cases. Especially around
> validation. I'll try to find good, meaty real-world examples to satisfy the
> system integrator in us all. :)
> >>
> >> Thanks John. I'm looking forward to a great deal more positive OWASP
> collaboration with you.
> >>
> >> -Jim Manico
> >> http://manico.net
> >>
> >> On Dec 15, 2010, at 7:23 AM, John Steven <John.Steven at owasp.org> wrote:
> >>
> >>> Jim,
> >>>
> >>> Good to have you. I think this section may be the 'easiest' inasmuch
> >>> as there's a lot of existing coded material and you probably have
> >>> shell examples in which to put said material. However, there are still
> >>> heady topics on which to make progress that have been discussed both
> >>> on-and-off the ESAPI list germane to this topic.
> >>>
> >>> Perhaps you can take a crack at a more detailed outline with an eye
> >>> towards instruction and defining development problems we can code
> >>> against. If you two get out in front of [that problem: the instruction
> >>> and defining coding problems for the summit] then we can use this
> >>> section's work as a template for the others, which are perhaps not as
> >>> far along in maturity.
> >>>
> >>> Two areas of focus _may_ be 1) determining context for applying the
> >>> existing functions and 2) integrating with frameworks (perhaps a good
> >>> foil for selecting victim app and other framework integration points).
> >>> But, you and Chris are probably better judges of the next level (more
> >>> detailed) of outline below what currently exists than me.
> >>>
> >>> -jOHN
> >>>
> >>> On Tue, Dec 14, 2010 at 11:47 PM, Jim Manico <jim.manico at owasp.org>
> wrote:
> >>>> Dinis,
> >>>> Can we please change my section to "input validation and contextual
> >>>> encoding?" please?
> >>>>
> >>>> -Jim Manico
> >>>> http://manico.net
> >>>> On Dec 14, 2010, at 4:54 AM, dinis cruz <dinis.cruz at owasp.org> wrote:
> >>>>
> >>>> Just renamed the thread so we can continue here
> >>>> The first pass at this Working Session Summit page is here
> >>>> :
> http://www.owasp.org/index.php/Summit_2011/OWASP_Secure_Coding_Workshop(still
> >>>> lots to do, but it is a good start)
> >>>> There are also individual WIKI pages for each session which you will
> need to
> >>>> update with the session's: Name, Objectives, Deliverables, Owner(s)
> and
> >>>> Members/Attendees
> >>>>
> >>>> Applying ESAPI Input
> >>>> Validation
> http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session025
> >>>> Defining AppSensor Sensors
> >>>> :
> http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session026
> >>>> Managing
> >>>> Sessions:
> http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session027
> >>>> Protecting Information Stored
> >>>> Client-Side
> http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session028
> >>>> Protecting Against
> >>>> CSRF
> http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session029
> >>>> Providing Access to Persisted
> >>>> Data
> http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session030
> >>>> The Future of "No Fluff" Secure Coding
> >>>> Workshop
> http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session031
> >>>>
> >>>> All pages above are created using MediaWiki templates (just follow the
> >>>> instructions on the edit page) and its contents is also used to
> populate
> >>>> this page
> http://www.owasp.org/index.php/Summit_2011#tab=Working_Sessions
> >>>> Sarah Baso is your main point of contract for any issues or requests
> with
> >>>> this page (she is a MediaWiki Wizard and is using O2 to edit it :)  )
> >>>> Please get these mappings done as soon as possible so that we can
> announce
> >>>> this track to our community (this is a track that has a lot of
> potential to
> >>>> bring developers to the Summit)
> >>>> Dan, part of the reason why we will only do the final schedule at a
> later
> >>>> date, is to be able to accommodate (as much as possible) the
> participants
> >>>> need/desire to attend multiple tracks (we will do our best :)  )
> >>>> Dinis Cruz
> >>>>
> >>>>
> >>>> On 14 December 2010 04:54, Dan Cornell <dan at denimgroup.com> wrote:
> >>>>>
> >>>>> (added a couple of individuals to this list to hopefully make sure
> >>>>> everyone from both this email and the similar thread on "Creating
> OWASP 4.0"
> >>>>> gets the email)
> >>>>>
> >>>>>
> >>>>>> 5 Protecting against CSRF                 ????????
> >>>>>>   * Hygiene
> >>>>>>      * Discuss/show Frames-busting, cross-domain policy,
> >>>>>>      * Discuss referrer and other red herrings
> >>>>>>   * Tokens (crafting, scoping, and checking)
> >>>>>>   * Discussions, techniques on scale
> >>>>>>   * Discussions, techniques on CAPTCHA, re-auth, etc.
> >>>>>>
> >>>>>
> >>>>>
> >>>>> I'd be happy to take this one on.  I'll need to make sure my
> facilitator
> >>>>> duties would be compatible with other commitments during the Summit,
> but
> >>>>> assuming that is the case I'd be happy to referee the discussion and
> help
> >>>>> bang out some code.
> >>>>>
> >>>>> Thanks,
> >>>>>
> >>>>> Dan
> >>>>>
> >>>>
> >>>> _______________________________________________
> >>>> OWASP-Leaders mailing list
> >>>> OWASP-Leaders at lists.owasp.org
> >>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20101219/cf7db27c/attachment-0002.html>


More information about the Owasp-board mailing list