[Owasp-board] Updated - Versions of secure coding guide

Eoin eoin.keary at owasp.org
Thu Sep 9 15:45:04 UTC 2010


Hi,

Love the checklist will really work well for developers as a "job aid"

Next time I fly i'll feel much safer!!! (this document is donated by boeing,
right?!)

A few areas of suggestion, apologies if some of these suggestions are in the
document and I did not see them:

Cheers,

Eoin


Logging, what to log (& not to log) when to log. (I see there is a Logg all
exceptions)

DV prior to logging, Logging maximum length

TimeStamp logging

Logging security events including all authentication success; (to detect if
a guess attack was successfull) + unsuccessful authentication & logout.

Log Storage & Protection

Checking return codes of function calls

Reuse of security components (Core functions, for authorisation,
authentication, Error handling and logging) if possible?

Authentication re-request when committing a transaction (prevent CSRF)


Eoin








On 9 September 2010 16:17, Paulo Coimbra <paulo.coimbra at owasp.org> wrote:

>  Keith,
>
>
>
> Both new versions have been uploaded.
>
>
>
>
> http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide/Releases/SCP_v1.1
>
>
>
> Thanks,
>
>
>
> Paulo Coimbra,
>
> OWASP Project Manager <https://www.owasp.org/index.php/Main_Page>
>
>
>
> *From:* Turpin, Keith N [mailto:keith.n.turpin at boeing.com]
> *Sent:* quinta-feira, 9 de Setembro de 2010 16:07
> *To:* Paulo Coimbra
> *Cc:* jim.manico at owasp.org
> *Subject:* RE: Updated - Versions of secure coding guide
>
>
>
> Thank you and please forgive me. I noticed a typo in the new content right
> after I hit send.
>
>
>
> Please do one more upload for me.
>
>
>
> Ugghhh I am so sorry. I hate trying to rush things at the last minute.
>
>
>
>
>
>
>
>
>
> *Keith Turpin** **CISSP, CSSLP*
> *The Boeing Company*
> *Information Security*
> *(206) 683-9667*
>
> Email Notice: This communication may contain sensitive information. If you
> are not the intended recipient, or believe that you have received this
> communication in error, do not print, copy, retransmit, disseminate or
> otherwise use the information. Respond to the sender that you have received
> this e-mail in error, and delete the copy you received.
>
>
>
>
>  ------------------------------
>
> *From:* Paulo Coimbra [mailto:paulo.coimbra at owasp.org]
> *Sent:* Thursday, September 09, 2010 8:01 AM
> *To:* Turpin, Keith N
> *Cc:* jim.manico at owasp.org
> *Subject:* RE: Updated - Versions of secure coding guide
>
> Keith,
>
>
>
> I had been working on your project, had uploaded the versions you’ve sent
> yesterday and was precisely writing down a couple of lines with my thoughts
> regarding the project’s next phase.
>
>
>
>
> http://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide#tab=Project_About
>
>
>
> I will now upload the files’ new versions and thereafter will send you the
> above referred thoughts.
>
>
>
> Many thanks, hope you make the most of your presence in our conference.
>
>
>
> Paulo Coimbra,
>
> OWASP Project Manager <https://www.owasp.org/index.php/Main_Page>
>
>
>
> *From:* Turpin, Keith N [mailto:keith.n.turpin at boeing.com]
> *Sent:* quinta-feira, 9 de Setembro de 2010 15:59
> *To:* Paulo Coimbra
> *Cc:* jim.manico at owasp.org
> *Subject:* Updated - Versions of secure coding guide
>
>
>
> Paulo
>
>
>
> Sorry to keep bugging you. Last night, my time, I sent you the updated
> guide documents to post on the OWASP site. However at the VIP event I had a
> chance to talk at length to Jim Manico and have made one final update to
> more precisely address his recommendation.
>
>
>
> Attached are the versions I would like to have you uploaded to the site for
> me, please. Note I just kept the same file names and rev levels as the ones
> I sent you last night, since no one else should have seen them yet.
>
>
>
> Again thank you soooo much for your help and patients.
>
>
>
>
>
>
>
> Keith Turpin CISSP, CSSLP
>
> The Boeing Company
>
> Information Security
>
> (206) 683-9667
>
>
>
> Email Notice: This communication may contain sensitive information. If you
> are not the intended recipient, or believe that you have received this
> communication in error, do not print, copy, retransmit, disseminate or
> otherwise use the information. Respond to the sender that you have received
> this e-mail in error, and delete the copy you received.
>
>
>
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>


-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

Sent from my i-Transmogrifier
http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100909/700d73ed/attachment-0002.html>


More information about the Owasp-board mailing list