[Owasp-leaders] Facebook

Mike Boberski mike.boberski at gmail.com
Wed Dec 30 20:31:29 EST 2009


Good idea, let's see if they'll do a self-assessment, if not, we can take it
from there and see what we can glean from public information. I offer cycles
to the degree folks are interested in having them in support of this effort.

Mike


On Wed, Dec 30, 2009 at 8:27 PM, Dave Wichers <dave.wichers at owasp.org>wrote:

>  A facebook ESAPI that allows developers to easily meet level 2ish of ASVS
> would be ridiculously great Mike. In fact, if someone could go through ASVS
> level 2 and determine what parts of it are met by Facebook itself, and what
> parts are the app developer’s responsibility, that would be a great first
> step. And then their ESAPI should help them meet the parts that the
> developer has to do.
>
>
>
> Of course, a good first step, would be for someone to review Facebook
> itself to see if it itself meets ASVS level 2. Maybe we should ask them to
> do a self assessment as a first step. And if they are open to stuff, maybe
> they would be open to publishing their results, after fixing any
> deficiencies they identify first, of course.
>
>
>
> My 2 cents, anyway.
>
>
>
> -Dave
>
>
>
> *From:* owasp-leaders-bounces at lists.owasp.org [mailto:
> owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *Jim Manico
> *Sent:* Wednesday, December 30, 2009 7:27 PM
> *To:* mike.boberski at gmail.com; owasp-leaders at lists.owasp.org
> *Subject:* Re: [Owasp-leaders] Facebook
>
>
>
> > This is a frustration to me, as a case study for lack of better way to
> put it, seeing which OWASP materials are being referenced and how.
>
> I understand your frustration. But please note, Facebook is very receptive
> to these ideas. You just need to ask. Let's talk offline, and I'll work with
> you to communicate these suggestions to Facebook.
>
> I've already talked to the Facebook Security team about ESAPI, they are
> reviewing it now. They do have a good deal of security built into the core
> Facebook connect API's - and these are constantly evolving. I'm sure we
> could help more. On many levels.
>
> So no need to lament, Mike. This is the start of something good!
>
> - Jim
>
>
>  Since you ask...
>
> This is a frustration to me, as a case study for lack of better way to put
> it, seeing which OWASP materials are being referenced and how. Certain
> messages aren't getting out in my mind, reading over that wiki page.
>
> The Top 10 is a data sheet, it is not a baseline set of security
> requirements, nor is it a standard to implement something to comply with.
> The cheat sheets are guidance for overcoming very specific atomic items.
> Pointing someone to the development guide w/o saying which sections are
> relevant is like telling someone to read an encyclopedia A-Z. What security
> activities are being done during their SDLC? Etc.....
>
> First, I think Facebook needs to be straightened out a little bit in this
> regard. ASVS exists now, so people need to start using it, where they had
> previously been using the Top 10 in an inappropriate way. Second, I propose
> exploring whether or not what Facebook really needs/asking for is an ESAPI.
>
> Mike
>
>  On Wed, Dec 30, 2009 at 5:00 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
> Hello Leaders,
>
> I recently noticed that the OWASP Top Ten was being referenced on
> Facebook's developer platform wiki at
> http://wiki.developers.facebook.com/index.php/Platform_Security - pretty
> cool.
>
> This triggered a conversation with Pete Bratach and Ryan  McGeehan from
> the Facebook security team about a deeper relationship between Facebook
> and OWASP. They also brought their partners, iSec (folks who know the
> Facebook platform very well) into the conversation.
>
> Facebook would like OWASP to host and develop a series of wiki pages on
> the topic on helping developers write secure Facebook applications. One
> this is rolling, Facebook would prominently link to those pages from the
> Facebook developer portal. The traffic and awareness potential is
> significant.
>
> Facebook also seems to have a progressive security research policy in
> place (modeled after PayPals) at
> http://www.facebook.com/security#/security?v=app_6009294086
>
> What do you think leaders?
>
> - Jim Manico
> OWASP ESAPI Project Manager
> http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
>
> OWASP Podcast Host/Producer
> http://www.owasp.org/index.php/OWASP_Podcast
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
>
>
>
> _______________________________________________
>
> OWASP-Leaders mailing list
>
> OWASP-Leaders at lists.owasp.org
>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
>
>
>  --
>
>
>
> - Jim Manico
>
> OWASP ESAPI Project Manager
>
> http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
>
>
>
> OWASP Podcast Host/Producer
>
> http://www.owasp.org/index.php/OWASP_Podcast
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20091230/aba00744/attachment-0001.html 


More information about the OWASP-Leaders mailing list