[Owasp-leaders] Owasp Source Code Flaws Top 10 Project

Paolo Perego thesp0nge at owasp.org
Mon Dec 15 17:20:32 EST 2008


Juan, I guess this can be a task for Owasp Orizon tool, what do you think
about that?Can we discuss further into Orizon mailinglist? :)

Sorry for the very quick answer nut I'm scared about being off topic into
leaders mailing list :-)

thesp0nge

On Mon, Dec 15, 2008 at 5:31 PM, Calderon, Juan Carlos (GE, Corporate,
consultant) <juan.calderon at ge.com> wrote:

>  2 comments on Documentation Weakness I agree, that is not the issues, but
> "Sensitive Information Disclosure via comments"
>
> Anyway, regardless of the name, What about OWASP created a tool that take
> off all the comments in source code and leave IDs on their place?. You can
> run it just before deploying your code. At the same time this process could
> be reversed by simply replacing back the comments in case you need them back
> for further modification of the source code. It would be ideal if this could
> be a plug-in for Eclipse where you can see the comments in place but the
> actual code do not contain them. Also many other interpreter-based tech will
> benefit as well, like PHP, Perl and Classic ASP.
>
> Anyone interested on running the project, it shouldn't be that much :) ?
>
> Regards,
> Juan Carlos Calderon
> Application Security Program
> Project Leader
>
>
>  ------------------------------
> *From:* owasp-leaders-bounces at lists.owasp.org [mailto:
> owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *Erlend Oftedal
> *Sent:* Lunes, 15 de Diciembre de 2008 09:25 a.m.
> *To:* owasp-leaders at lists.owasp.org
> *Subject:* Re: [Owasp-leaders] Owasp Source Code Flaws Top 10 Project
>
>  Hi Paolo
>
>
>
> This is an interesting project, which I hope will be successful.
>
>
>
> I have some comments:
>
> "C3 – Missing input validation" – I would call this "Missing input
> validation and output encoding". It's not always possible to filter out
> dangerous characters from the input. Consider the name O'Brian. It contains
> a quote (') which might be considered dangerous (SQL-injection) and filtered
> out. However it's actually a part of the name, and we should thus store it.
> So the correct way to handle this character would be to encode it when
> sending the data to the SQL-server. Best practices here would be to use
> parameterized queries or in the case of missing language support, escape it
> yourself. However this is not a part of input validation. It's something
> developers should do where they create the SQL-statement.
>
> The same logic can be used for XSS.
>
> Please not that I'm not saying input validation is useless. I just think
> both are necessary.
>
>
>
>  "C9 - Documentation weakness" – I don't think that documentation is the
> issue here. In my opinion, writing maintainable code is not about
> documenting your code, but about writing code that others can read. If you
> look to coding gurus like Robert C. Martin (author of books such as "Clean
> Code"), he says "Obviously, there are times when you must write a comment
> but I want those times to be few and far between and if I find myself
> writing a comment because I've got no other option, I kick myself. It's a
> failure of my ability to express myself well in code."
>
> The idea  is to use short methods (easy to get an overview), good method
> and variable naming, and good object oriented design (using design
> principles like the Single-Responsibility-Principle) to reduce the
> complexity of the code.
>
> Documentation and comments has a tendency to lie, because when developers
> are short on time (which they often are because of management or customer
> pressure), they tend to fix the code without updating the comments. In this
> case the documentation will lie, which is a lot worse than no documentation
> at all. However the code does not lie. The best documentation you can have,
> is in the form of unit tests and integration tests, because the
> documentation/specification is then executable. So my suggestion for C9
> would be: "C9 – Readability" or "C9 – Unreadable code".
>
> While on the subject of testing, "CX – Untested code" could be another item
> in you list.
>
>
>
>
>
> Best regards
>
> Erlend Oftedal
>
> OWASP Norway
>
>
>
>
>
> *Fra:* owasp-leaders-bounces at lists.owasp.org [mailto:
> owasp-leaders-bounces at lists.owasp.org] *På vegne av* Paolo Perego
> *Sendt:* 15. desember 2008 15:11
> *Til:* Owasp leaders
> *Emne:* [Owasp-leaders] Owasp Source Code Flaws Top 10 Project
>
>
>
> Hello leaders, I'm really happy to announce a new documentation project I
> started today. Our Top 10 most critical web app vulnerabilities is the
> standard de facto when trying to summarize findings when you assess a web
> application. And it is great.
>
>
>
> Looking at source code assessment (or code review, or static analysis, or
> whatever the name you want to use :-)), nothing like this exists. Gary
> McGraw introduced the 7 kingdoms as taxonomy. I started looking at this
> great job extending it to meet Owasp Top 10 like template.
>
> I also used categories that I found useful to gather security code review
> findings in.
>
>
>
> That's why I started this Top 10 project. The goal is to provide something
> useful in Owasp Code Review Guide while trying to organize security issues
> and the second goal is to use it as Owasp Orizon default library cookbooks
> in order to have a "fil rouge" from Code review guide and the implementing
> tool. The Source code flaws Top 10 will be that fil rouge.
>
>
>
> I really hope that everyone interested will subscribe to mailing list and
> give some contributions to this document I'd like to release as beta quality
> project in the next AppSec Europe 2009 in Cracow.
>
>
>
> Link:
> http://www.owasp.org/index.php/Category:OWASP_Source_Code_Flaws_Top_10_Project
> Roadmap:
> http://www.owasp.org/index.php/Category:OWASP_Source_Code_Flaws_Top_10_Project_Roadmap
>
> Mailinglist subscription page:
> https://lists.owasp.org/mailman/listinfo/owasp-source-code-flaws-top-10
>
>
>
> Regards
>
> thesp0nge
> --
> "stay hungry, stay foolish"
>
> OWASP Orizon project, http://orizon.sourceforge.net
> "enjoy your code review experience"
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
"stay hungry, stay foolish"

OWASP Orizon project, http://orizon.sourceforge.net
"enjoy your code review experience"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20081215/dfcfc75b/attachment-0001.html 


More information about the OWASP-Leaders mailing list