[Owasp-leaders] Facebook

Jim Manico jim.manico at owasp.org
Wed Dec 30 19:26:53 EST 2009


> This is a frustration to me, as a case study for lack of better way to
put it, seeing which OWASP materials are being referenced and how.

I understand your frustration. But please note, Facebook is very
receptive to these ideas. You just need to ask. Let's talk offline, and
I'll work with you to communicate these suggestions to Facebook.

I've already talked to the Facebook Security team about ESAPI, they are
reviewing it now. They do have a good deal of security built into the
core Facebook connect API's - and these are constantly evolving. I'm
sure we could help more. On many levels.

So no need to lament, Mike. This is the start of something good!

- Jim

> Since you ask...
>
> This is a frustration to me, as a case study for lack of better way to
> put it, seeing which OWASP materials are being referenced and how.
> Certain messages aren't getting out in my mind, reading over that wiki
> page.
>
> The Top 10 is a data sheet, it is not a baseline set of security
> requirements, nor is it a standard to implement something to comply
> with. The cheat sheets are guidance for overcoming very specific
> atomic items. Pointing someone to the development guide w/o saying
> which sections are relevant is like telling someone to read an
> encyclopedia A-Z. What security activities are being done during their
> SDLC? Etc.....
>
> First, I think Facebook needs to be straightened out a little bit in
> this regard. ASVS exists now, so people need to start using it, where
> they had previously been using the Top 10 in an inappropriate way.
> Second, I propose exploring whether or not what Facebook really
> needs/asking for is an ESAPI.
>
> Mike
>
>
> On Wed, Dec 30, 2009 at 5:00 PM, Jim Manico <jim.manico at owasp.org
> <mailto:jim.manico at owasp.org>> wrote:
>
>     Hello Leaders,
>
>     I recently noticed that the OWASP Top Ten was being referenced on
>     Facebook's developer platform wiki at
>     http://wiki.developers.facebook.com/index.php/Platform_Security -
>     pretty
>     cool.
>
>     This triggered a conversation with Pete Bratach and Ryan  McGeehan
>     from
>     the Facebook security team about a deeper relationship between
>     Facebook
>     and OWASP. They also brought their partners, iSec (folks who know the
>     Facebook platform very well) into the conversation.
>
>     Facebook would like OWASP to host and develop a series of wiki
>     pages on
>     the topic on helping developers write secure Facebook
>     applications. One
>     this is rolling, Facebook would prominently link to those pages
>     from the
>     Facebook developer portal. The traffic and awareness potential is
>     significant.
>
>     Facebook also seems to have a progressive security research policy in
>     place (modeled after PayPals) at
>     http://www.facebook.com/security#/security?v=app_6009294086
>
>     What do you think leaders?
>
>     - Jim Manico
>     OWASP ESAPI Project Manager
>     http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
>
>     OWASP Podcast Host/Producer
>     http://www.owasp.org/index.php/OWASP_Podcast
>
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>   


-- 

- Jim Manico
OWASP ESAPI Project Manager
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

OWASP Podcast Host/Producer
http://www.owasp.org/index.php/OWASP_Podcast

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20091230/7bf1e4b5/attachment-0001.html 


More information about the OWASP-Leaders mailing list