[Owasp-leaders] Facebook

Dave Wichers dave.wichers at owasp.org
Wed Dec 30 20:27:16 EST 2009


A facebook ESAPI that allows developers to easily meet level 2ish of ASVS
would be ridiculously great Mike. In fact, if someone could go through ASVS
level 2 and determine what parts of it are met by Facebook itself, and what
parts are the app developer's responsibility, that would be a great first
step. And then their ESAPI should help them meet the parts that the
developer has to do.

 

Of course, a good first step, would be for someone to review Facebook itself
to see if it itself meets ASVS level 2. Maybe we should ask them to do a
self assessment as a first step. And if they are open to stuff, maybe they
would be open to publishing their results, after fixing any deficiencies
they identify first, of course.

 

My 2 cents, anyway.

 

-Dave

 

From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Jim Manico
Sent: Wednesday, December 30, 2009 7:27 PM
To: mike.boberski at gmail.com; owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Facebook

 

> This is a frustration to me, as a case study for lack of better way to put
it, seeing which OWASP materials are being referenced and how.

I understand your frustration. But please note, Facebook is very receptive
to these ideas. You just need to ask. Let's talk offline, and I'll work with
you to communicate these suggestions to Facebook.

I've already talked to the Facebook Security team about ESAPI, they are
reviewing it now. They do have a good deal of security built into the core
Facebook connect API's - and these are constantly evolving. I'm sure we
could help more. On many levels.

So no need to lament, Mike. This is the start of something good!

- Jim




Since you ask...

This is a frustration to me, as a case study for lack of better way to put
it, seeing which OWASP materials are being referenced and how. Certain
messages aren't getting out in my mind, reading over that wiki page.

The Top 10 is a data sheet, it is not a baseline set of security
requirements, nor is it a standard to implement something to comply with.
The cheat sheets are guidance for overcoming very specific atomic items.
Pointing someone to the development guide w/o saying which sections are
relevant is like telling someone to read an encyclopedia A-Z. What security
activities are being done during their SDLC? Etc.....

First, I think Facebook needs to be straightened out a little bit in this
regard. ASVS exists now, so people need to start using it, where they had
previously been using the Top 10 in an inappropriate way. Second, I propose
exploring whether or not what Facebook really needs/asking for is an ESAPI.

Mike



On Wed, Dec 30, 2009 at 5:00 PM, Jim Manico <jim.manico at owasp.org> wrote:

Hello Leaders,

I recently noticed that the OWASP Top Ten was being referenced on
Facebook's developer platform wiki at
http://wiki.developers.facebook.com/index.php/Platform_Security - pretty
cool.

This triggered a conversation with Pete Bratach and Ryan  McGeehan from
the Facebook security team about a deeper relationship between Facebook
and OWASP. They also brought their partners, iSec (folks who know the
Facebook platform very well) into the conversation.

Facebook would like OWASP to host and develop a series of wiki pages on
the topic on helping developers write secure Facebook applications. One
this is rolling, Facebook would prominently link to those pages from the
Facebook developer portal. The traffic and awareness potential is
significant.

Facebook also seems to have a progressive security research policy in
place (modeled after PayPals) at
http://www.facebook.com/security#/security?v=app_6009294086

What do you think leaders?

- Jim Manico
OWASP ESAPI Project Manager
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

OWASP Podcast Host/Producer
http://www.owasp.org/index.php/OWASP_Podcast

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders





 
 
_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders
  






-- 
 
- Jim Manico
OWASP ESAPI Project Manager
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
 
OWASP Podcast Host/Producer
http://www.owasp.org/index.php/OWASP_Podcast
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20091230/2a1304e0/attachment.html 


More information about the OWASP-Leaders mailing list