[Owasp-leaders] [owasp-intrinsic-security] Web application framework security comparison

Ivan Ristic ivan.ristic at gmail.com
Sat Jan 31 06:35:36 EST 2009

This is the single most useful document I have seen in years.

Some random comments and thoughts:

- Some of the features need explanations.

- I think the word you are looking for (to use in this document) is
"platform". J2EE, .Net, PHP and the others listed are all platforms.

- URL-based XSS detection is a hack. It's blacklisting and, as such,
not something I would like to see in any platform (or framework). If
we start to put things like that into standards then we will be
telling people that's the way to handle security. But it isn't. It's a

- In the XSS section I would like to see something like: "A way to
build HTML pages securely" (perhaps some of you will be able to come
up with a better name). Wicket is the only framework I have seen that
is secure by default: it forces you to create output in such a way
that you don't have to think about escaping yet you're secure. (Of
course, there are plenty of ways to shoot yourself in the foot and
create e.g. DOM XSS vulnerabilities, but those are out of its scope.)

- Perhaps you should add "Encryption APIs" to the list.

- All platforms today lack something I would call "Resource
utilisation API", which would be used to map the actions of users (and
IP addresses if users are not known) to system resources, with the
goal to prevent denial of service attacks.

- I would also like to see APIs that would allow web applications to
perform with user privileges. For example, as the first thing in the
processing of any request you determine which user is asking you to do
something, then practically execute a "su" to that account and drop
all other privileges.

On Thu, Jan 29, 2009 at 9:21 PM, Jim Manico
<jim.manico at aspectsecurity.com> wrote:
> I would also like to point on the difference between a language, framework
> and management system (only because I see them used interchangably so much).
> A language is PHP.
> A framework would be something like Cake or Zend.
> But then we have entire content management systems like Drupal that are just
> as popular (if not more so) than the frameworks. Management systems let the
> layperson deploy large software systems without any custom programming -
> this is the key diferentiator.
> There is no reason that Drupal could not have been written on top of Cake on
> top of PHP. Some folks are also building Drupal on top of Python
> frameworks.  And some of the Anti-Patterns/Security Bugs migrate from the
> management system to other languages/frameworks as they are ported.
> --
> Jim Manico, Senior Application Security Engineer
> jim.manico at aspectsecurity.com
> (301) 604-4882 (work)
> (808) 652-3805 (cell)
> Aspect Security™
> Securing your applications at the source
> http://www.aspectsecurity.com
> ________________________________
> From: owasp-leaders-bounces at lists.owasp.org on behalf of Michael Menefee
> Sent: Wed 1/28/2009 9:19 PM
> To: owasp-leaders at lists.owasp.org
> Cc: owasp-intrinsic-security at lists.owasp.org
> Subject: Re: [Owasp-leaders] Web application framework security comparison
> Arshan/All,
> I would like to point out the difference between "Framework" and "language".
> .NET is a framework, classic ASP is a language. PHP is also a language, not
> a framework. If we want to compare various frameworks, then we need to
> include specific PHP frameworks such as Cake, Symfony, Zend, etc, and make
> sure to differentiate languages (such as ASP and PHP) from actual frameworks
> I would be more than happy to attempt an evaluation of the top 5 PHP
> frameworks (although there are many more than that now).
> Mike
> On Wed, Jan 28, 2009 at 10:41 AM, Arshan Dabirsiaghi
> <arshan.dabirsiaghi at aspectsecurity.com> wrote:
>> All,
>> Thanks to those of you who made it out to Portugal for the EU Summit. One
>> of our working sessions was focused on creating a consumer report on the
>> security provided by web application frameworks. After some huge
>> initial draft work there, I'm happy to have a beta ready. Of course
>> maintaining this will be a moving target, but right now I'm soliciting a
>> last call for comments and suggestions before making it available to the
>> world at large.
>> The key is on the spreadsheet. Ideally I would like every tuple that's not
>> "No Plans" to have a supporting comment or link. If you can provide one or
>> can argue for a different value for any tuple, please get back to me soon.
>> Thanks to everyone for all your help up to this point - let's get this
>> thing finished so we can get it out the public. I'm sorry I can't let
>> everyone have edit privileges, but I had to make a million reverts when I
>> did that before because I wasn't clear enough with my goals for the
>> spreadsheet, so please just email me and the group your suggestions!
>> http://spreadsheets.google.com/pub?key=pWqXgSu_wNm-GkSPgOGyOWQ
>> Cheers,
>> Arshan
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> owasp-intrinsic-security mailing list
> owasp-intrinsic-security at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-intrinsic-security

Ivan Ristic

More information about the OWASP-Leaders mailing list