[Owasp-leaders] Owasp Source Code Flaws Top 10 Project

Paolo Perego thesp0nge at owasp.org
Mon Dec 15 17:18:45 EST 2008


Erlend, thanks for the comments. It would be great discussing it in the
Source code Top 10 mailing list that I think it is the right place.

In brief.
C3: definitely vulnerability that lead to be a XSS at run time will match
this category. I don't want to talk about XSS or SQL injection because the
vulnerability is the input is not filter, how does an attacker use this
vulnerability is up to the Original Top 10 :)

C9: yes, but think about a code that after 5 years need to be maintained or
refactored. Also the most speaking code can be hard to mantain if no comment
is included.

About testing I disagree. This Top 10 is about static analysis category
taxonomy, not about how to build an SSDLC which testing is more in topic
(IMHO). The code review guide maybe can discuss further the testing topic.

Sorry for the brief answer but IMHO we must move to project mailing list in
order not to bother non interested leaders :-)

Anyway, thanks for the very valuable feedbacks, I hope we'll follow the
project.

Ciao ciao
thesp0nge

On Mon, Dec 15, 2008 at 4:24 PM, Erlend Oftedal <Erlend.Oftedal at bekk.no>wrote:

>  Hi Paolo
>
>
>
> This is an interesting project, which I hope will be successful.
>
>
>
> I have some comments:
>
> "C3 – Missing input validation" – I would call this "Missing input
> validation and output encoding". It's not always possible to filter out
> dangerous characters from the input. Consider the name O'Brian. It contains
> a quote (') which might be considered dangerous (SQL-injection) and filtered
> out. However it's actually a part of the name, and we should thus store it.
> So the correct way to handle this character would be to encode it when
> sending the data to the SQL-server. Best practices here would be to use
> parameterized queries or in the case of missing language support, escape it
> yourself. However this is not a part of input validation. It's something
> developers should do where they create the SQL-statement.
>
> The same logic can be used for XSS.
>
> Please not that I'm not saying input validation is useless. I just think
> both are necessary.
>
>
>
>  "C9 - Documentation weakness" – I don't think that documentation is the
> issue here. In my opinion, writing maintainable code is not about
> documenting your code, but about writing code that others can read. If you
> look to coding gurus like Robert C. Martin (author of books such as "Clean
> Code"), he says "Obviously, there are times when you must write a comment
> but I want those times to be few and far between and if I find myself
> writing a comment because I've got no other option, I kick myself. It's a
> failure of my ability to express myself well in code."
>
> The idea  is to use short methods (easy to get an overview), good method
> and variable naming, and good object oriented design (using design
> principles like the Single-Responsibility-Principle) to reduce the
> complexity of the code.
>
> Documentation and comments has a tendency to lie, because when developers
> are short on time (which they often are because of management or customer
> pressure), they tend to fix the code without updating the comments. In this
> case the documentation will lie, which is a lot worse than no documentation
> at all. However the code does not lie. The best documentation you can have,
> is in the form of unit tests and integration tests, because the
> documentation/specification is then executable. So my suggestion for C9
> would be: "C9 – Readability" or "C9 – Unreadable code".
>
> While on the subject of testing, "CX – Untested code" could be another item
> in you list.
>
>
>
>
>
> Best regards
>
> Erlend Oftedal
>
> OWASP Norway
>
>
>
>
>
> *Fra:* owasp-leaders-bounces at lists.owasp.org [mailto:
> owasp-leaders-bounces at lists.owasp.org] *På vegne av* Paolo Perego
> *Sendt:* 15. desember 2008 15:11
> *Til:* Owasp leaders
> *Emne:* [Owasp-leaders] Owasp Source Code Flaws Top 10 Project
>
>
>
> Hello leaders, I'm really happy to announce a new documentation project I
> started today. Our Top 10 most critical web app vulnerabilities is the
> standard de facto when trying to summarize findings when you assess a web
> application. And it is great.
>
>
>
> Looking at source code assessment (or code review, or static analysis, or
> whatever the name you want to use :-)), nothing like this exists. Gary
> McGraw introduced the 7 kingdoms as taxonomy. I started looking at this
> great job extending it to meet Owasp Top 10 like template.
>
> I also used categories that I found useful to gather security code review
> findings in.
>
>
>
> That's why I started this Top 10 project. The goal is to provide something
> useful in Owasp Code Review Guide while trying to organize security issues
> and the second goal is to use it as Owasp Orizon default library cookbooks
> in order to have a "fil rouge" from Code review guide and the implementing
> tool. The Source code flaws Top 10 will be that fil rouge.
>
>
>
> I really hope that everyone interested will subscribe to mailing list and
> give some contributions to this document I'd like to release as beta quality
> project in the next AppSec Europe 2009 in Cracow.
>
>
>
> Link:
> http://www.owasp.org/index.php/Category:OWASP_Source_Code_Flaws_Top_10_Project
> Roadmap:
> http://www.owasp.org/index.php/Category:OWASP_Source_Code_Flaws_Top_10_Project_Roadmap
>
> Mailinglist subscription page:
> https://lists.owasp.org/mailman/listinfo/owasp-source-code-flaws-top-10
>
>
>
> Regards
>
> thesp0nge
> --
> "stay hungry, stay foolish"
>
> OWASP Orizon project, http://orizon.sourceforge.net
> "enjoy your code review experience"
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
"stay hungry, stay foolish"

OWASP Orizon project, http://orizon.sourceforge.net
"enjoy your code review experience"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20081215/482f1f11/attachment.html 


More information about the OWASP-Leaders mailing list