[Owasp-leaders] [owasp-intrinsic-security] Web application framework security comparison

Michael Menefee mmenefee at gmail.com
Sat Jan 31 20:49:13 EST 2009


Arshan,

To Ivan's point, I must say (and should have in my previous response
regarding platform/language) this is a very good document/research effort
and thank you!

Thanks Ivan, for reminding me to not be such a prick

Mike


On Sat, Jan 31, 2009 at 6:35 AM, Ivan Ristic <ivan.ristic at gmail.com> wrote:

> This is the single most useful document I have seen in years.
>
> Some random comments and thoughts:
>
> - Some of the features need explanations.
>
> - I think the word you are looking for (to use in this document) is
> "platform". J2EE, .Net, PHP and the others listed are all platforms.
>
> - URL-based XSS detection is a hack. It's blacklisting and, as such,
> not something I would like to see in any platform (or framework). If
> we start to put things like that into standards then we will be
> telling people that's the way to handle security. But it isn't. It's a
> crutch.
>
> - In the XSS section I would like to see something like: "A way to
> build HTML pages securely" (perhaps some of you will be able to come
> up with a better name). Wicket is the only framework I have seen that
> is secure by default: it forces you to create output in such a way
> that you don't have to think about escaping yet you're secure. (Of
> course, there are plenty of ways to shoot yourself in the foot and
> create e.g. DOM XSS vulnerabilities, but those are out of its scope.)
>
> - Perhaps you should add "Encryption APIs" to the list.
>
> - All platforms today lack something I would call "Resource
> utilisation API", which would be used to map the actions of users (and
> IP addresses if users are not known) to system resources, with the
> goal to prevent denial of service attacks.
>
> - I would also like to see APIs that would allow web applications to
> perform with user privileges. For example, as the first thing in the
> processing of any request you determine which user is asking you to do
> something, then practically execute a "su" to that account and drop
> all other privileges.
>
>
> On Thu, Jan 29, 2009 at 9:21 PM, Jim Manico
> <jim.manico at aspectsecurity.com> wrote:
> > I would also like to point on the difference between a language,
> framework
> > and management system (only because I see them used interchangably so
> much).
> >
> > A language is PHP.
> > A framework would be something like Cake or Zend.
> > But then we have entire content management systems like Drupal that are
> just
> > as popular (if not more so) than the frameworks. Management systems let
> the
> > layperson deploy large software systems without any custom programming -
> > this is the key diferentiator.
> >
> > There is no reason that Drupal could not have been written on top of Cake
> on
> > top of PHP. Some folks are also building Drupal on top of Python
> > frameworks.  And some of the Anti-Patterns/Security Bugs migrate from the
> > management system to other languages/frameworks as they are ported.
> >
> > --
> > Jim Manico, Senior Application Security Engineer
> > jim.manico at aspectsecurity.com
> > (301) 604-4882 (work)
> > (808) 652-3805 (cell)
> >
> > Aspect Security™
> > Securing your applications at the source
> > http://www.aspectsecurity.com
> >
> > ________________________________
> > From: owasp-leaders-bounces at lists.owasp.org on behalf of Michael Menefee
> > Sent: Wed 1/28/2009 9:19 PM
> > To: owasp-leaders at lists.owasp.org
> > Cc: owasp-intrinsic-security at lists.owasp.org
> > Subject: Re: [Owasp-leaders] Web application framework security
> comparison
> >
> > Arshan/All,
> >
> > I would like to point out the difference between "Framework" and
> "language".
> > .NET is a framework, classic ASP is a language. PHP is also a language,
> not
> > a framework. If we want to compare various frameworks, then we need to
> > include specific PHP frameworks such as Cake, Symfony, Zend, etc, and
> make
> > sure to differentiate languages (such as ASP and PHP) from actual
> frameworks
> >
> > I would be more than happy to attempt an evaluation of the top 5 PHP
> > frameworks (although there are many more than that now).
> >
> > Mike
> >
> >
> > On Wed, Jan 28, 2009 at 10:41 AM, Arshan Dabirsiaghi
> > <arshan.dabirsiaghi at aspectsecurity.com> wrote:
> >>
> >> All,
> >>
> >> Thanks to those of you who made it out to Portugal for the EU Summit.
> One
> >> of our working sessions was focused on creating a consumer report on the
> >> security provided by web application frameworks. After some huge
> >> initial draft work there, I'm happy to have a beta ready. Of course
> >> maintaining this will be a moving target, but right now I'm soliciting a
> >> last call for comments and suggestions before making it available to the
> >> world at large.
> >>
> >> The key is on the spreadsheet. Ideally I would like every tuple that's
> not
> >> "No Plans" to have a supporting comment or link. If you can provide one
> or
> >> can argue for a different value for any tuple, please get back to me
> soon.
> >>
> >> Thanks to everyone for all your help up to this point - let's get this
> >> thing finished so we can get it out the public. I'm sorry I can't let
> >> everyone have edit privileges, but I had to make a million reverts when
> I
> >> did that before because I wasn't clear enough with my goals for the
> >> spreadsheet, so please just email me and the group your suggestions!
> >>
> >> http://spreadsheets.google.com/pub?key=pWqXgSu_wNm-GkSPgOGyOWQ
> >>
> >> Cheers,
> >> Arshan
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >
> >
> > _______________________________________________
> > owasp-intrinsic-security mailing list
> > owasp-intrinsic-security at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-intrinsic-security
> >
> >
>
>
>
> --
> Ivan Ristic
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090131/8d549144/attachment.html 


More information about the OWASP-Leaders mailing list