[Owasp-leaders] Generating Passwords Hopw

Jeff Williams jeff.williams at aspectsecurity.com
Wed Jan 21 17:11:25 EST 2009


Putting in the work to create something like a Ruby version of ESAPI is
a very strong way to get folks to adopt.  Otherwise it is quite
difficult to get them to see the value.

FYI, here's the article that I created to help Sun understand the value
in providing an output encoding API. If you're tired of the pre-Cambrian
explosion of attack vectors, try a positive approach to XSS...

http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention
_Cheat_Sheet  

--Jeff

-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of McGovern,
James F (HTSC, IT)
Sent: Wednesday, January 21, 2009 9:58 AM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Generating Passwords Hopw

 Is there merit in doing the same type of activity with the Ruby
community?

-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Jeff
Williams
Sent: Tuesday, January 20, 2009 11:39 PM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Generating Passwords Hopw

Hi,

I have been working with Sun and the rest of the Servlet team to get
some better security into the Java Servlet 3.0 specification for the
last year or so. While it has been interesting and somewhat productive,
it is *extremely* difficult to get them to acknowledge the idea that
their APIs need to change for security. I heard every excuse you can
think of (compatibility, performance, usability, complexity, insanity,
etc...). Anyway, while I think the goal is good, I'm not optimistic
about the prospects for just "providing feedback."  I'm leaning towards
the ESAPI approach of providing safe wrappers or replacements for unsafe
methods.

--Jeff
************************************************************
This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
information.  If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited.  If
you are not the intended recipient, please notify the sender immediately
by return e-mail, delete this communication and destroy all copies.
************************************************************

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list