[Owasp-guide] Volunteering for Output Encoding Chapter

Tom Stripling tstripling at gmail.com
Thu May 17 13:53:15 UTC 2012


I envision the Guide as providing (and being organized by) layers of best
practices. If that's the case, it wouldn't focus on defending against a
particular attack (e.g. XSS) and it would separate defenses into layers
based on where they're likely to be implemented and when they should be
applied.

Because Input Validation is done before business logic and Output Encoding
isn't applied until the data is returned to another application
layer/system/etc., I don't think it makes sense to combine the two. Doing
so risks confusing people about where and how it should be implemented.

As you said, though, the two must obviously work in tandem as a part of a
larger process. Since this is going to be the case for a variety of
chapters, maybe we should talk about a standard for referencing sections in
other chapters. It will probably even be necessary to briefly restate a
principle that will be fleshed out in another chapter. It's going to
require the authors of various chapters to work together a lot,
particularly input validation and output encoding.

My 3 cents (50% more free!)
Tom


On Thu, May 17, 2012 at 8:28 AM, Tim Kulp <timkulp at live.com> wrote:

>   As a thought, should the Output Encryption section be rolled into the
> Input Validation section? The reason I ask is that Input Validation uses
> Constrain, Reject and Sanitize as steps in a process. Output Encoding is
> part of the sanitization and constraining processes. Just a thought.
>
>  *From:* Jim Manico <jim.manico at owasp.org>
> *Sent:* Thursday, May 17, 2012 2:40 AM
> *To:* Abraham Kang <abraham.kang at owasp.org>
> *Cc:* owasp-guide at lists.owasp.org
> *Subject:* Re: [Owasp-guide] Volunteering for Output Encoding Chapter
>
>  Totally fair. It's just that we need a lot more than just OE to stop
> XSS...
>
> --
> Jim Manico
> VP, Security Architecture
> WhiteHat Security
> (808) 652-3805
>
> On May 16, 2012, at 9:02 PM, Abraham Kang <abraham.kang at owasp.org> wrote:
>
>   I think output encoding can apply to any executable context including
> command line output, xml, shell script, sql.  If the chapter is to focused
> on xss, I can modify it.
>
> --Abe
> On May 14, 2012 8:10 PM, "Jim Manico" <jim.manico at owasp.org> wrote:
>
>> Abe,
>>
>> Can we rename the output encoding section and call it "XSS Prevention"
>> instead?
>>
>> Complete XSS prevention requires validation, HTML policy validation,
>> proper JSON parsing and a host of other techniques other than just output
>> encoding.
>>
>> Fair? Interested?
>>
>> Aloha,
>> Jim
>>
>>
>> I want to volunteer to take the Output Encoding Chapter.  I added the
>> chapter a while ago but it has been sitting idle.
>>
>> The content is pretty much done but may need minor reorganization.
>>
>> Regards,
>> Abe
>>
>>
>>
>>
>> _______________________________________________
>> Owasp-guide mailing listOwasp-guide at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-guide
>>
>>
>>
>> --
>> Jim Manico
>>
>> Connections Committee Chair
>> Cheatsheet Series Product Manager
>> OWASP Podcast Producer/Host
>>
>> jim at owasp.org
>> www.owasp.org
>>
>  ------------------------------
> _______________________________________________
> Owasp-guide mailing list
> Owasp-guide at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-guide
>
>
> _______________________________________________
> Owasp-guide mailing list
> Owasp-guide at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-guide
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-guide/attachments/20120517/2af2b264/attachment.html>


More information about the Owasp-guide mailing list