[OWASP-GUIDE] Status of the Guide v2

Andrew van der Stock vanderaj at greebo.net
Sat May 8 13:00:12 EDT 2004

I've done a fair few code reviews in the last few years. Here's my "2.48 am"
recollection of what languages they were written in:

Here's the breakdown:

Java		the majority of my reviews overall. 
ASP.NET	most of my reviews in 2004 outright
ASP		most of my reviews in 2003*
2 IAS (=Java embedded in Oracle stored procs), 2004
1 Delphi app (2004)
1 Python app (2003)
1 PowerBuilder site (very large project, though) (2003)
1 Cold Fusion == second worst result on any of my code reviews (2002)

I've seen very little PHP commercially, but it's all I see in the open
source world. (Un)fortunately, most of my customers don't run it. I simply
don't come across Perl any more. I've not done a Perl review since 2000

I think if we cover the major ones, particularly J2EE 1.4, ASP and .NET, we
will have the commercial side covered for > 95% of all cases. Add PHP (which
is an absolute nightmare to get right), and that is a goodly slab of open
source land (the old LAMP ready to blow). 

In J2EE land, if anything we need to convince people to not re-invent the
wheel. I like struts with its validation fields. Almost as easy as ASP.NET's


* I had one long engagement in 2003 ferreting around in one app, two
versions, both of which could be considered the best WebGoat replacement ...
ever. It got worse between versions. It failed every single Guide 1.x
section, plus a fair slab of ISO 17799 and the customer's requirements. I
loathed / loved doing that review.

-----Original Message-----
From: owasp-guide-admin at lists.sourceforge.net
[mailto:owasp-guide-admin at lists.sourceforge.net] On Behalf Of Chris Todd
Sent: Sunday, 9 May 2004 1:42 AM
To: owasp-guide at lists.sourceforge.net
Subject: RE: [OWASP-GUIDE] Status of the Guide v2


> C# and others would fit in nicely as well. The only question is: Do we
have authors for these sections...

Andrew appears to be willing to write the .NET stuff.  That would give us
the big three (Java, PHP, and M$), the next question would be: what others
make sense for us to tackle?

In terms of getting the most bang for the buck (that is, helping the largest
number of developers with the least amount of effort on the part of the
authors), I am guessing Perl CGI scripts should probably be next in
priority.  I could probably take a stab at that, since there is already a
wealth of information available, and I'm fairly comfortable with Perl.

Any other language suggestions?  What other languages are people using
regularly to write web apps?  I know Python is used some; has anyone seen
any Cold Fusion web apps in the last year or two?

Perhaps we could put a poll on the OWASP website or on the webappsec mailing
list asking "Which web app development language most desperately needs a
section in the OWASP guide v.2?"  What do you think?


This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver
higher performing products faster, at low TCO.
Owasp-guide mailing list
Owasp-guide at lists.sourceforge.net

More information about the Owasp-guide mailing list