[Owasp-guide] Proposal and discussion of draft Developer Guide2013 ToC

Fri May 11 18:59:55 UTC 2012

I see Classic ASP can be comparable to PHP in terms of security, there is nothing really built up, but you have to build it yourself or plug in a third party framework/Filter/ISAPI/COM/ActiveX, etc..

ASP.NET is very different to classic ASP. specially from framework 1.1 and above.

I think what is more confusing in Classic ASP is that you can mix multiple contexts, for example, in my own training I explain a page is interpreted in 4 stages:

1. First for Server Side Inclusions, where code in "include" tags is added to main page on the fly (not interpreted yet)
2. Then Server side VBScript code is executed, generating a HTML file (Page is then served here)
3. HTML code is rendered in Browser

4. Javascript code is executed.on Browser

Once you know this you can avoid a lot of problems that might lead to data disclosure, logic issues and other problems.

Let me mention a few errors I have seen in the past. 

- A piece of code like the following might look OK but will never work

<!--  #include file="page<%= PageId %>.inc"-->

- HTML comments here do not prevent execution of server side code (and thus disclose data)
<!--
    <%= MySecret %>

-->

- Or mixing server vs client side contexts (option explicit set to off) you will always be an admin here

<script language="JavaScript">
var role = 1;

    <%
        if role = 0 then
            response.write "You are admin"

        else
            response.write "You are NOT admin"
        end if

    %>
</script>

So not sure how all this is going to fit on the guide, but I think we can look for the right spot once it starts taking shape.

Regards,
Juan Carlos

________________________________
 From: Tim Kulp <timkulp at live.com>
To: Juan C Calderon <johnccr at yahoo.com>; Andrew van der Stock <vanderaj at owasp.org>; owasp-guide at lists.owasp.org 
Cc: Dave Wichers <dave.wichers at owasp.org>; projects at owasp.org; Eoin Keary <eoin.keary at owasp.org> 
Sent: Friday, May 11, 2012 11:45 AM
Subject: Re: [Owasp-guide] Proposal and discussion of draft Developer Guide2013 ToC

Juan, 

I think this would be a great addition.

On the topic of classic ASP, should we discuss some of the security 
features that are different between ASP and ASP.NET? I ask that because I know 
many developers who really treat them the same and thus do not get a lot of the 
security features built in to ASP.NET like the membership provider.

Thoughts? 

Tim 
From: Juan C Calderon 
Sent: Friday, May 11, 2012 8:56 AM
To: Andrew van der Stock ; owasp-guide at lists.owasp.org 
Cc: Dave Wichers ; projects at owasp.org ; Eoin 
Keary 
Subject: Re: [Owasp-guide] Proposal and discussion of draft 
Developer Guide2013 ToC
  Wow very large and ambitious TOC. I am willing to start writing those 
Classic ASP samples. Also I can start organizing the translation to Spanish as 
soon as the guide starts taking shape.

Regards,
Juan Carlos

________________________________
 From: Andrew van der Stock 
<vanderaj at owasp.org>
To: owasp-guide at lists.owasp.org 
Cc: Eoin Keary 
<eoin.keary at owasp.org>; projects at owasp.org; Dave Wichers 
<dave.wichers at owasp.org> 
Sent: Thursday, May 10, 2012 10:52 
PM
Subject: [Owasp-guide] 
Proposal and discussion of draft Developer Guide 2013 ToC

Hi folks, 

Please review

Can you please look over this ToC

http://code.google.com/p/owasp-development-guide/wiki/ProjectManagement_Assignments

Let's start discussing what should be in and out of the Guide. I'm going 
deliberately for inclusiveness as if it's not in the Developer Guide, where will 
it be? However, I'm willing to be convinced if you have stronger arguments than 
mine. 

The numbering scheme is the (stalled) OWASP Common Numbering Scheme. It's 
time for that to be completed, so I've cc'd Dave Wichers, the project leader for 
that effort. I want to ensure that we are very strongly aligned with the ASVS 
<- Developer Guide <-> Testing Guide <-> Code Review Guide, 
because this time around we will not be discussing how to do code reviews and 
how to test except to point to those other texts. 

Claim your chapters

I'd like for folks to start claiming chapters here (first post wins!) where 
a chapter is DG-MAJOR and not just a sub-section. For longer chapters (those 
likely to have more than six patterns), I want at least two and preferably four 
or five folks to work together. 

Title

I'd like to nut out the tittle for the next release. Can you please 
indicate your preferred name for the next release:

OWASP Developer Guide 2013 <-- mine
OWASP Developer Guide 4.0 <-- timeless
OWASP Developer Guide 3.0 

That's my preferred order. The main reason for not using 3.0 is that we've 
had two shots at that version now, and I honestly think it's time to increment 
to 4.0. 

The 10th anniversary of the Guide is next month. I'm going to try and have 
a surprise for that. However, this project should not lose sight of the 2013 
goal. For that reason, I'd like for us to be ready to release at no later than 
OWASP AppSec US in Northern hemisphere fall 2013, but preferably by AppSec EU 
next year. 

Rebirth as a ready to use textbook, education piece

In other news, I had a lovely dinner with the delightful Laura Bell, who 
got me thinking about how best to make use of the Guide. 

I'd like for the Developer Guide to be immediately useful as a K11-12 / 
first year University text book. This means I'd like to work with the OWASP 
Education project on simultaneously updating my two day deck into a 15 or 16 
week deck and exercises and labs that teachers and lecturers can use either 
directly with WebGoat or directly with the deck we provide. We really need to 
start educating the next generation behind us to prevent security being an 
forgotten art. Once that's done, it's easy enough to create a dense 2 or 3 day 
deck for trainers to deliver to organisations and businesses, with the Developer 
Guide as being the lecture text and the next version of ASVS as the two-three 
day text. 

Whilst we will be developing this in the Wiki and that's how I tend to use 
OWASP materials today, I am happy to create a final PDF and a iBook download for 
the OWASP website, and possibly work with a publisher to get the Developer Guide 
prepared for print publication. Personally, I think having a freely downloadable 
version on our website, and in iTunes U along with someone teaching the 
materials on screen (look for CS 193P for what I have in mind) will be the 
lowest barrier to entry. I'm not convinced that dead tree printing is the best 
today, but I have a Kindle and an iPad, so I'm biased.  

Thoughts?

thanks,
Andrew
_______________________________________________
Owasp-guide 
mailing list
Owasp-guide at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-guide

________________________________
 _______________________________________________
Owasp-guide mailing 
list
Owasp-guide at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-guide
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-guide/attachments/20120511/955e9aa4/attachment.html>