[Owasp-guide] Volunteering for Output Encoding Chapter

Menerick, John jmenerick at netsuite.com
Thu May 17 18:06:10 UTC 2012


That would help developers / qa understand why and how each layer works.


John Menerick | Security
650-627-1000 | jmenerick at netsuite.com
NetSuite: Where Business is Going

Register today for SuiteWorld! May 14–17, 2012 in San Francisco
________________________________________
From: owasp-guide-bounces at lists.owasp.org [owasp-guide-bounces at lists.owasp.org] On Behalf Of Tim Kulp [timkulp at live.com]
Sent: Thursday, May 17, 2012 11:01 AM
To: Kevin W. Wall; Jim Manico
Cc: owasp-guide at lists.owasp.org; Abraham Kang
Subject: Re: [Owasp-guide] Volunteering for Output Encoding Chapter

Typo indeed...sorry!

Another thought, one way that I always illustrate a best practice is to show the attack first. Should we perhaps have a section of attack demonstrations and then show how each defense works as a layer to protect against it?



From: Kevin W. Wall<mailto:kevin.w.wall at gmail.com>
Sent: Thursday, May 17, 2012 11:25 AM
To: Jim Manico<mailto:jim.manico at owasp.org>
Cc: owasp-guide at lists.owasp.org<mailto:owasp-guide at lists.owasp.org> ; Abraham Kang<mailto:abraham.kang at owasp.org>
Subject: Re: [Owasp-guide] Volunteering for Output Encoding Chapter

Perhaps the approach should be to first describe all the common defensive techniques;
e.g., input validation, canonicalization, output encoding, sandboxing, cryptography, etc.
followed by some specific sections to address common vulnerabilities such as XSS.
That means that the XSS section (say) could be a lot shorter because the background
of all the defensive techniques would have already been described and all you would
need to do would be to show how to make all the relevant defenses play together
correctly to address the problem at hand.

-kevin

On Thu, May 17, 2012 at 11:00 AM, Jim Manico <jim.manico at owasp.org<mailto:jim.manico at owasp.org>> wrote:
I'd personally like to see both an Output Encoding section AND a XSS defense section.

XSS defense involves:

Output Encoding, Input validation, safe json parsing, sandboxing, DOM XSS api avoidance, HTML policy based validation, etc. XSS defense is way WAY more than just OE.

Aloha,

--
Jim Manico
VP, Security Architecture
WhiteHat Security
(808) 652-3805

On May 16, 2012, at 9:02 PM, Abraham Kang <abraham.kang at owasp.org<mailto:abraham.kang at owasp.org>> wrote:


I think output encoding can apply to any executable context including command line output, xml, shell script, sql.  If the chapter is to focused on xss, I can modify it.

--Abe

On May 14, 2012 8:10 PM, "Jim Manico" <jim.manico at owasp.org<mailto:jim.manico at owasp.org>> wrote:
Abe,

Can we rename the output encoding section and call it "XSS Prevention" instead?

Complete XSS prevention requires validation, HTML policy validation, proper JSON parsing and a host of other techniques other than just output encoding.

Fair? Interested?

Aloha,
Jim



I want to volunteer to take the Output Encoding Chapter.  I added the
chapter a while ago but it has been sitting idle.

The content is pretty much done but may need minor reorganization.

Regards,
Abe





_______________________________________________
Owasp-guide mailing list
Owasp-guide at lists.owasp.org<mailto:Owasp-guide at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-guide



--
Jim Manico

Connections Committee Chair
Cheatsheet Series Product Manager
OWASP Podcast Producer/Host

jim at owasp.org<mailto:jim at owasp.org>
www.owasp.org<http://www.owasp.org>

_______________________________________________
Owasp-guide mailing list
Owasp-guide at lists.owasp.org<mailto:Owasp-guide at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-guide




--
Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein

________________________________
_______________________________________________
Owasp-guide mailing list
Owasp-guide at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-guide

NOTICE: This email and any attachments may contain confidential and proprietary information of NetSuite Inc. and is for the sole use of the intended recipient for the stated purpose.  Any improper use or distribution is prohibited.  If you are not the intended recipient, please notify the sender; do not review, copy or distribute; and promptly delete or destroy all transmitted information.  Please note that all communications and information transmitted through this email system may be monitored by NetSuite or its agents and that all incoming email is automatically scanned by a third party spam and filtering service.


More information about the Owasp-guide mailing list