[OWASP-GUIDE] RE: ColdFusion Section

Erick Lee erlee at macromedia.com
Wed Sep 14 18:14:42 EDT 2005


Regarding the ColdFusion section, I plan on having a draft for you by
the end of September.  In addition, if you need someone for .NET I could
do that as well.

- Erick

-----Original Message-----
From: owasp-guide-admin at lists.sourceforge.net
[mailto:owasp-guide-admin at lists.sourceforge.net] On Behalf Of
owasp-guide-request at lists.sourceforge.net
Sent: Monday, September 12, 2005 8:17 PM
To: owasp-guide at lists.sourceforge.net
Subject: Owasp-guide digest, Vol 1 #270 - 4 msgs

Send Owasp-guide mailing list submissions to
	owasp-guide at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/owasp-guide
or, via email, send a message with subject or body 'help' to
	owasp-guide-request at lists.sourceforge.net

You can reach the person managing the list at
	owasp-guide-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Owasp-guide digest..."


Today's Topics:

   1. Re: Draft chapters for OWASP Guide 2.x (fnargle) (Andrew van der
Stock)
   2. Re: 2.0.2 (Andrew van der Stock)
   3. Re: Phishing section in the guide: no XSS or secure auth? (Andrew
van der Stock)
   4. Guide 2.1 Draft 1 (Andrew van der Stock)

--__--__--

Message: 1
Cc: owasp-guide at lists.sourceforge.net
From: Andrew van der Stock <Vanderaj at greebo.net>
Subject: Re: [OWASP-GUIDE] Draft chapters for OWASP Guide 2.x (fnargle)
Date: Mon, 12 Sep 2005 23:15:58 +1000
To: Frank Lemmon <flemmon at qualys.com>
Reply-To: owasp-guide at lists.sourceforge.net

Checked in :)

Andrew

On 03/09/2005, at 10:16 AM, Frank Lemmon wrote:

> <Software Quality Assurance.doc>



--__--__--

Message: 2
Cc: owasp-guide at lists.sourceforge.net
From: Andrew van der Stock <vanderaj at greebo.net>
Subject: Re: [OWASP-GUIDE] 2.0.2
Date: Mon, 12 Sep 2005 23:20:40 +1000
To: Dan Cornell <dan at denimgroup.com>
Reply-To: owasp-guide at lists.sourceforge.net

Checked in.

Andrew

On 02/09/2005, at 2:29 AM, Dan Cornell wrote:

> <Session Management.doc>



--__--__--

Message: 3
From: Andrew van der Stock <vanderaj at greebo.net>
Subject: Re: [OWASP-GUIDE] Phishing section in the guide: no XSS or
secure auth?
Date: Mon, 12 Sep 2005 23:28:04 +1000
To: owasp-guide at lists.sourceforge.net
Reply-To: owasp-guide at lists.sourceforge.net


--Apple-Mail-3-48112763
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
	charset=US-ASCII;
	delsp=yes;
	format=flowed

Comment inserted into the latest chapter - I will deal with it shortly.

Andrew

On 03/08/2005, at 8:45 PM, Javier Fernandez-Sanguino wrote:

> Just a question that poped to my mind when skimming through the  
> phishing section in the Guide:
>
> - There is no mention on the issues related to phishing scams and  
> XSS attacks. While as a phishing web server can be taken off by  
> authorities it is much harder to do so if a phisher users  
> _your_site_ (through XSS) flaws to organise a phishing scam.  Not  
> only the fix is more comlex ("have to fix the application! now!")  
> but also makes other recommendations about phishing worthless  
> ("make sure you are in a secure site? Check. Web site belongs to  
> the bank? Check. SSL in use? Check....")
>
> - (This might be controversial) There is no mention on replacing  
> the aged user/password login process with secure authentication (be  
> it token or smart cards). Granted, secure authentication does not  
> drive phishing attacks away but it does shift them to be "steal  
> password" to "steal session" (or MITM attacks) and if you are using  
> secure authentication for the "operation" key (not the "access"  
> key) i.e. the one that is not associated with the session, you  
> force phishers to shift tactics. (They will probably shift tactis  
> to trojan systems from remote users, however)
>
> Just a few cents to spark some discussion. Andrew, if you want to,  
> I can write some paragraphs about this for that section.
>
> Regards
>
> Javier


--Apple-Mail-3-48112763
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=ISO-8859-1

<HTML><BODY style=3D"word-wrap: break-word; -khtml-nbsp-mode: space; =
-khtml-line-break: after-white-space; ">Comment inserted into the latest
=
chapter - I will deal with it shortly.<DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>Andrew</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV><DIV><DIV>On 03/08/2005, at
=
8:45 PM, Javier Fernandez-Sanguino wrote:</DIV><BR =
class=3D"Apple-interchange-newline"><BLOCKQUOTE type=3D"cite"><P =
style=3D"margin: 0.0px 0.0px 0.0px 0.0px"><FONT face=3D"Lucida Sans =
Typewriter" size=3D"3" style=3D"font: 12.0px Lucida Sans =
Typewriter">Just a question that poped to my mind when skimming through
=
the phishing section in the Guide:</FONT></P> <P style=3D"margin: 0.0px
=
0.0px 0.0px 0.0px; font: 12.0px Lucida Sans Typewriter; min-height: =
15.0px"><BR></P> <P style=3D"margin: 0.0px 0.0px 0.0px 0.0px"><FONT =
face=3D"Lucida Sans Typewriter" size=3D"3" style=3D"font: 12.0px Lucida
=
Sans Typewriter">- There is no mention on the issues related to phishing
=
scams and XSS attacks. While as a phishing web server can be taken off =
by authorities it is much harder to do so if a phisher users _your_site_
=
(through XSS) flaws to organise a phishing scam.<SPAN =
class=3D"Apple-converted-space">=A0 </SPAN>Not only the fix is more =
comlex ("have to fix the application! now!") but also makes other =
recommendations about phishing worthless ("make sure you are in a secure
=
site? Check. Web site belongs to the bank? Check. SSL in use? =
Check....")</FONT></P> <P style=3D"margin: 0.0px 0.0px 0.0px 0.0px; =
font: 12.0px Lucida Sans Typewriter; min-height: 15.0px"><BR></P> <P =
style=3D"margin: 0.0px 0.0px 0.0px 0.0px"><FONT face=3D"Lucida Sans =
Typewriter" size=3D"3" style=3D"font: 12.0px Lucida Sans Typewriter">- =
(This might be controversial) There is no mention on replacing the aged
=
user/password login process with secure authentication (be it token or =
smart cards). Granted, secure authentication does not drive phishing =
attacks away but it does shift them to be "steal password" to "steal =
session" (or MITM attacks) and if you are using secure authentication =
for the "operation" key (not the "access" key) i.e. the one that is not
=
associated with the session, you force phishers to shift tactics. (They
=
will probably shift tactis to trojan systems from remote users, =
however)</FONT></P> <P style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: =
12.0px Lucida Sans Typewriter; min-height: 15.0px"><BR></P> <P =
style=3D"margin: 0.0px 0.0px 0.0px 0.0px"><FONT face=3D"Lucida Sans =
Typewriter" size=3D"3" style=3D"font: 12.0px Lucida Sans =
Typewriter">Just a few cents to spark some discussion. Andrew, if you =
want to, I can write some paragraphs about this for that =
section.</FONT></P> <P style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: =
12.0px Lucida Sans Typewriter; min-height: 15.0px"><BR></P> <P =
style=3D"margin: 0.0px 0.0px 0.0px 0.0px"><FONT face=3D"Lucida Sans =
Typewriter" size=3D"3" style=3D"font: 12.0px Lucida Sans =
Typewriter">Regards</FONT></P> <P style=3D"margin: 0.0px 0.0px 0.0px =
0.0px; font: 12.0px Lucida Sans Typewriter; min-height: 15.0px"><BR></P>
=
<P style=3D"margin: 0.0px 0.0px 0.0px 0.0px"><FONT face=3D"Lucida Sans =
Typewriter" size=3D"3" style=3D"font: 12.0px Lucida Sans =
Typewriter">Javier</FONT></P> =
</BLOCKQUOTE></DIV><BR></DIV></BODY></HTML>=

--Apple-Mail-3-48112763--


--__--__--

Message: 4
To: owasp-guide at lists.sourceforge.net
From: Andrew van der Stock <vanderaj at greebo.net>
Date: Tue, 13 Sep 2005 00:46:34 +1000
Subject: [OWASP-GUIDE] Guide 2.1 Draft 1
Reply-To: owasp-guide at lists.sourceforge.net

Hi there,

Guide 2.1 Draft 1 has been uploaded to CVS. This contains all current  
comments and revised chapters.

I would like more reviews done. The deadline for this round is  
September 30.
- Dan and David have a lock on their previously reviewed chapters  
unless they think they are finished with them
- Frank Lemmon has a lock on SQA
- Robert J. Hansen has a lock on cryptography
- Raoul Endres has a lock on privacy

All other chapters are open for review. Please nominate which you'd  
like to do here, and it'll be so. If you have a partially reviewed  
chapter, please submit it now anyway, and it'll be yours until  
September 30.

New materials for 2.1

* I will be writing the distributing computing chapter, and it will  
be submitted by September 30.
* J2EE and .NET specific guidelines in the appendix. I'd suggest that  
one person take on each rather than both being taken on by a single  
person. I have had an offer of a ColdFusion chapter, but I have not  
heard back as yet

Changes
* current draft.pdf
- This file represents the current stable draft, with document  
comments and so on turned on. Due to large numbers of comments, there  
are two pages of comments at the rear of the document.

* New chapters
- SQA by Frank Lemmon
- Distributed Computing (race conditions). New but no content

* Edits
- Updated TOC
- Removed Mark Curphey and Alex Russell from the credits at their  
request
- Minor edits from many members of the public
- Comments from the public which will require longer thought added to  
many chapters (particularly phishing)

* Reviewed chapters checked in wholesale (thanks heaps!)
- Authentication, Authorization and Session Management - Dan Cornell
- Data validation - David Rice

Thanks to everyone who helped with this!
Andrew



--__--__--

_______________________________________________
Owasp-guide mailing list
Owasp-guide at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owasp-guide


End of Owasp-guide Digest




More information about the Owasp-guide mailing list