[owasp-intrinsic-security] OWASP EU Summit - ISWG Working Sessions

Jim Manico jim.manico at aspectsecurity.com
Mon Sep 15 09:23:49 EDT 2008


One of the biggest problems I see with frameworks in general is the
desire to follow a "standard" instead of "secure best practices"

 

For example, the folks at Sun and Tomcat both complained about HttpOnly
support since it was not part of the "cookie standard" (from the 90's).

 

Struts folks complained about "autocomplete" not being an official part
of HTML 4.0X

 

And then,  Eric Bing from Oracle and I talked to  the w3c about
clarifying the verbiage in the XMLHttpRequest "standard" at
http://dev.w3.org/2006/webapi/XMLHttpRequest/#security 

 

( see
http://lists.w3.org/Archives/Public/public-webapps/2008AprJun/0203.html)

 

And again, another complaint that it was not part of a 10+ year old
cookie standard.

 

I'm really eager to hear how your conversations with the w3c go - so
many frameworks/browsers look to them for guidance.

 

- Jim

 

From: owasp-intrinsic-security-bounces at lists.owasp.org
[mailto:owasp-intrinsic-security-bounces at lists.owasp.org] On Behalf Of
Arshan Dabirsiaghi
Sent: Thursday, September 11, 2008 10:33 AM
To: owasp-intrinsic-security at lists.owasp.org
Subject: [owasp-intrinsic-security] OWASP EU Summit - ISWG Working
Sessions

 

Greetings,

 

We hope to see all of you at the OWASP EU Summit 2008 in the beautiful
Algarve, Portugal!


The ISWG will be hosting 2 working sessions that take place immediately
before the conference: Browser Security on Monday, November 3rd and
Framework Security on Tuesday, November 4th.

 

The Browser Security session will be 1-day discussion-oriented workshops
where anyone can share research and we can all discuss, threat model,
and try to solidify positions regarding all the W3C drafts that are
reaching "last call" status. Also, we'll try to solidify the OWASP Top
10 browser wishlist. We'll be inviting representatives from the browser
organizations to attend, and we'll keep you posted on that front, but
they don't have to be there for us to help them.

 

The Framework Security session will also be be a 1-day session. We're
going to take a look at the programming frameworks (think Struts,
ASP.NET, RoR, etc.) and see what security gaps exist, and see if we can
identify any patterns of weakness across the frameworks. Hopefully we
can come up with some solutions to fill in those gaps. We want attendees
from the frameworks to leave with a good idea of how to help programmers
write more secure applications.

 

Hopefully after both working sessions we'll have some actionable advice
for the target audience. I'm very excited for the workshops, I think we
can start making some big changes in this space!

 

Cheers,

Arshan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-intrinsic-security/attachments/20080915/fcff73d0/attachment.html 


More information about the owasp-intrinsic-security mailing list