[OWASP-GUIDE] To Do List

Mark Curphey mark at curphey.com
Sat Mar 29 13:07:29 EST 2003


I'll add to the SSL section later. In particular I was playing with
OpenSSL and found I could force about 50% of the sites I tested to do an
unauthenticated key exchange ;-) Should also discuss cipher specs and
key lengths etc

I was also thinking there are some basic things we are missing like

Adding a security policy statement to the site
Adding a How t report a security problem page to the site

I like the Unicode idea. Actually I have never been able to clearly wrap
my head around the whole canonicalization stuff. A good section on where
and why it matters and how to deal with it would be really useful.

I'll add them to the task list and will pull a late one tonight and
tackle a few.

On Sat, 2003-03-29 at 01:43, Adrian Wiesmann wrote:
> > Can u send me the latest to do list again....I have some time this
> > weekend and I can add a few things. Don't have the last list handy.
> 
> It is a proprietary list neither complete nor over the whole project. It
> is just a list of things I have seen and would like to change or add.
> 
> Regards,
> Adrian





More information about the Owasp-guide mailing list