[Owasp-leaders] Reaching developers = cooperative hackathons

Venkatesh Jagannathan venki at owasp.org
Mon Sep 13 03:28:03 EDT 2010


Hi,
    XSS is still a valid vulnerability for mobile apps.

The thing about mobiel apps:

Many applications are developed in one for the following formats:
0. Pure-play web based apps, accessed through a mobiel browser. - These apps
will have the Top Ten still applicable to them.
1. Native Apps: These are applicaions written for specific mobiel;
environments like iPhone/Androd/WinCE etc. Only some of the Top Ten
vulnerabilites apply here.
2. Hybrid: More of HTML5 dev platform, that is making the line between thin
clients and thick clients disappear. These needs to be also studied in more
detail.

I am currently dfoing some preliminry work on the mobile applicaion
security. I would be gald to contribute to OWASP if a project is defined for
this purpose.

Thanks & Regards,
~Venk!


On Fri, Sep 10, 2010 at 8:32 PM, Stephen de Vries <
stephen at twisteddelight.org> wrote:

>
> "Mobile security" means different things to different people.  For the
> purposes of creating another top ten IMO we should not consider any browser
> based app as a mobile app.  What we'll be left with is a generic
> client-server top ten, with a few sprinkles of mobile specific issues.
>  Comparing to existing web top ten:
>
> A1: Injection - still applies
>
> A2: Cross-Site Scripting (XSS) - N/A
>
> A3: Broken Authentication and Session Management - Still applies, although
> session man will need changing.  Broken auth might include things like using
> the mobile number or IMEI as a credential.  Then again that doesn't apply to
> tablet which are also now "mobile" devices.
>
> A4: Insecure Direct Object References - N/A in it's current form.  Direct
> access to objects passed over RMI maybe.
>
> A5: Cross-Site Request Forgery (CSRF) - N/A
>
> A6: Security Misconfiguration - still applies
>
> A7: Insecure Cryptographic Storage - still applies
>
> A8: Failure to Restrict URL Access - N/A in current form.  Could be changed
> to Access Control Failure, or Access Control enforced on the client side.
>
> A9: Insufficient Transport Layer Protection - still applies
>
> A10: Unvalidated Redirects and Forwards - N/A.
>
> For the additional issues, the biggies will be implementing security
> functionality on the client rather than the server and persistent storage on
> the client given the increased risk of compromise of the device itself.
>
>
> Stephen
>
> >
> >
> > On Fri, Sep 10, 2010 at 10:34 AM, Dave Wichers <dave.wichers at owasp.org>
> wrote:
> > I’d be happy to see both styles of Top 10’s developed.
> >
> >
> > Regarding the Top 10 for Mobile. I’d love for a group of mobile security
> experts to explore whether it truly is different than the existing Top 10
> and why. And then let us know what they have discovered and have that
> reviewed by the community. If the rough consensus is that it is truly
> different, then it would be great to write one. If the consensus is that it
> is very similar, maybe we should write an ‘interpretation’ of the Top 10 in
> the Mobile environment, or if, we decide its essentially the same set of
> risks, then we should state that publicly on the wiki.
> >
> >
> > I don’t know which way it will fall, but I’d love to hear what people
> think on this subject.
> >
> >
> > -Dave
> >
> >
> > From: owasp-leaders-bounces at lists.owasp.org [mailto:
> owasp-leaders-bounces at lists.owasp.org] On Behalf Of Jim Manico
> > Sent: Thursday, September 09, 2010 11:58 AM
> >
> >
> > To: owasp-leaders at lists.owasp.org
> > Subject: Re: [Owasp-leaders] Reaching developers = cooperative hackathons
> >
> >
> >
> > More importantly, I think we need to put •language specific• Top Tens'
> out front.
> >
> >
> > OWASP Top Ten for PHP
> >
> > OWASP Top Ten for Java
> >
> > Etc
> >
> >
> > This will help OWASP reach developers in a more prolific way.
> >
> > -Jim Manico
> >
> > http://manico.net
> >
> >
> > On Sep 9, 2010, at 5:19 AM, Sherif Koussa <sherif.koussa at gmail.com>
> wrote:
> >
> > Would the leaders think there is value in starting a Top Ten for Mobile
> Applications? Or would that lie sort of outside the boundaries of OWASP
> since they might not typically be "web" applications?
> >
> >
> > Regards,
> >
> > Sherif
> >
> >
> > On Wed, Sep 8, 2010 at 10:38 AM, Dave Wichers <dave.wichers at owasp.org>
> wrote:
> >
> > I would like to see more top ten lists and I think this is a reasonable
> list to shoot for.  And I hope it would echo similar sentiments that are
> presented by the OWASP Guide. And if not, they should be synced up.
> >
> >
> > I still want to get a real Top Ten for Web Services done. We took a shot
> back in 2008 but I haven’t had the energy to really get it completed.
> >
> >
> > -Dave
> >
> >
> > Dave Wichers
> >
> > OWASP Top 10 Project Lead
> >
> >
> > From: owasp-leaders-bounces at lists.owasp.org [mailto:
> owasp-leaders-bounces at lists.owasp.org] On Behalf Of James McGovern
> > Sent: Wednesday, September 08, 2010 8:41 AM
> >
> >
> > To: owasp-leaders at lists.owasp.org
> >
> > Subject: Re: [Owasp-leaders] Reaching developers = cooperative hackathons
> >
> >
> > Does anyone else think starting a project to create a Top Ten list for
> Software Architects has merit? Since my past project of starting a
> certification resulted in a fail, I am game to try again and see if we can
> create a win…
> >
> >
> > James McGovern
> > Insurance SBU
> >
> > Virtusa Corporation
> >
> > 100 Northfield Drive, Suite 305 | Windsor, CT | 06095
> >
> > Phone:  860 688 9900 Ext:  1037 | Facsimile:  860 688 2890
> >
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100913/8ca84649/attachment-0001.html 


More information about the OWASP-Leaders mailing list