[Owasp-guide] Proposal and discussion of draft Developer Guide2013 ToC
Juan C Calderon
johnccr at yahoo.com
Fri May 11 18:59:55 UTC 2012
I see Classic ASP can be comparable to PHP in terms of security, there is nothing really built up, but you have to build it yourself or plug in a third party framework/Filter/ISAPI/COM/ActiveX, etc..
ASP.NET is very different to classic ASP. specially from framework 1.1 and above.
I think what is more confusing in Classic ASP is that you can mix multiple contexts, for example, in my own training I explain a page is interpreted in 4 stages:
1. First for Server Side Inclusions, where code in "include" tags is added to main page on the fly (not interpreted yet)
2. Then Server side VBScript code is executed, generating a HTML file (Page is then served here)
3. HTML code is rendered in Browser
Once you know this you can avoid a lot of problems that might lead to data disclosure, logic issues and other problems.
Let me mention a few errors I have seen in the past.
- A piece of code like the following might look OK but will never work
<!-- #include file="page<%= PageId %>.inc"-->
- HTML comments here do not prevent execution of server side code (and thus disclose data)
<%= MySecret %>
- Or mixing server vs client side contexts (option explicit set to off) you will always be an admin here
var role = 1;
if role = 0 then
response.write "You are admin"
response.write "You are NOT admin"
So not sure how all this is going to fit on the guide, but I think we can look for the right spot once it starts taking shape.
From: Tim Kulp <timkulp at live.com>
To: Juan C Calderon <johnccr at yahoo.com>; Andrew van der Stock <vanderaj at owasp.org>; owasp-guide at lists.owasp.org
Cc: Dave Wichers <dave.wichers at owasp.org>; projects at owasp.org; Eoin Keary <eoin.keary at owasp.org>
Sent: Friday, May 11, 2012 11:45 AM
Subject: Re: [Owasp-guide] Proposal and discussion of draft Developer Guide2013 ToC
I think this would be a great addition.
On the topic of classic ASP, should we discuss some of the security
features that are different between ASP and ASP.NET? I ask that because I know
many developers who really treat them the same and thus do not get a lot of the
security features built in to ASP.NET like the membership provider.
From: Juan C Calderon
Sent: Friday, May 11, 2012 8:56 AM
To: Andrew van der Stock ; owasp-guide at lists.owasp.org
Cc: Dave Wichers ; projects at owasp.org ; Eoin
Subject: Re: [Owasp-guide] Proposal and discussion of draft
Developer Guide2013 ToC
Wow very large and ambitious TOC. I am willing to start writing those
Classic ASP samples. Also I can start organizing the translation to Spanish as
soon as the guide starts taking shape.
From: Andrew van der Stock
<vanderaj at owasp.org>
To: owasp-guide at lists.owasp.org
Cc: Eoin Keary
<eoin.keary at owasp.org>; projects at owasp.org; Dave Wichers
<dave.wichers at owasp.org>
Sent: Thursday, May 10, 2012 10:52
Proposal and discussion of draft Developer Guide 2013 ToC
Can you please look over this ToC
Let's start discussing what should be in and out of the Guide. I'm going
deliberately for inclusiveness as if it's not in the Developer Guide, where will
it be? However, I'm willing to be convinced if you have stronger arguments than
The numbering scheme is the (stalled) OWASP Common Numbering Scheme. It's
time for that to be completed, so I've cc'd Dave Wichers, the project leader for
that effort. I want to ensure that we are very strongly aligned with the ASVS
<- Developer Guide <-> Testing Guide <-> Code Review Guide,
because this time around we will not be discussing how to do code reviews and
how to test except to point to those other texts.
Claim your chapters
I'd like for folks to start claiming chapters here (first post wins!) where
a chapter is DG-MAJOR and not just a sub-section. For longer chapters (those
likely to have more than six patterns), I want at least two and preferably four
or five folks to work together.
I'd like to nut out the tittle for the next release. Can you please
indicate your preferred name for the next release:
OWASP Developer Guide 2013 <-- mine
OWASP Developer Guide 4.0 <-- timeless
OWASP Developer Guide 3.0
That's my preferred order. The main reason for not using 3.0 is that we've
had two shots at that version now, and I honestly think it's time to increment
The 10th anniversary of the Guide is next month. I'm going to try and have
a surprise for that. However, this project should not lose sight of the 2013
goal. For that reason, I'd like for us to be ready to release at no later than
OWASP AppSec US in Northern hemisphere fall 2013, but preferably by AppSec EU
Rebirth as a ready to use textbook, education piece
In other news, I had a lovely dinner with the delightful Laura Bell, who
got me thinking about how best to make use of the Guide.
I'd like for the Developer Guide to be immediately useful as a K11-12 /
first year University text book. This means I'd like to work with the OWASP
Education project on simultaneously updating my two day deck into a 15 or 16
week deck and exercises and labs that teachers and lecturers can use either
directly with WebGoat or directly with the deck we provide. We really need to
start educating the next generation behind us to prevent security being an
forgotten art. Once that's done, it's easy enough to create a dense 2 or 3 day
deck for trainers to deliver to organisations and businesses, with the Developer
Guide as being the lecture text and the next version of ASVS as the two-three
Whilst we will be developing this in the Wiki and that's how I tend to use
OWASP materials today, I am happy to create a final PDF and a iBook download for
the OWASP website, and possibly work with a publisher to get the Developer Guide
prepared for print publication. Personally, I think having a freely downloadable
version on our website, and in iTunes U along with someone teaching the
materials on screen (look for CS 193P for what I have in mind) will be the
lowest barrier to entry. I'm not convinced that dead tree printing is the best
today, but I have a Kindle and an iPad, so I'm biased.
Owasp-guide at lists.owasp.org
Owasp-guide at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-guide