[Owasp-leaders] Reaching developers = cooperative hackathons

James McGovern JMcGovern at virtusa.com
Wed Sep 15 11:19:28 EDT 2010


There are lots of things that architects can think about before code is
written including but not limited to:

 

1.       Encryption: Algorithm choices, key size choices, how to keep
private keys private, ways to escrow keys, etc

2.       Logging: What to log (events) standards for output, putting to
another tier, etc

3.       AuthZ: Ability to have standardized interface to developers,
the approach used (e.g. XACML vs. JAAS vs. etc)

4.       MVC Choice: leverage eval criteria that Rohit Sethi is using.
Could include defining what components you need like centralizing
"validation"

5.       Roles: Clear role modeling such that you can detect
indeterminate behavior. 

6.       Database connectivity: Lots of web apps have multiple web/app
servers but usually only one "active" DB at any one point in time. If
bad guy can tie up DB by exhausting DB pools...

7.       Other forms of validation can include saying no to DTD,
mandating XSD for all XML

8.       Dump the notion of user ID/password in its entirety. Consider
approaches such as Information Cards, OpenID, etc within the business
context and risk level

 

James McGovern
Insurance SBU 

Virtusa Corporation

100 Northfield Drive, Suite 305 | Windsor, CT | 06095

Phone:  860 688 9900 Ext:  1037 | Facsimile:  860 688 2890  

  <http://www.virtusa.com/>    <http://www.virtusa.com/blog/>   
<https://twitter.com/VirtusaCorp>   
<http://www.linkedin.com/companies/virtusa>   
<http://www.facebook.com/VirtusaCorp> 

 

From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Venkatesh
Jagannathan
Sent: Thursday, September 09, 2010 5:02 AM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Reaching developers = cooperative
hackathons

 

James,
    This is a good idea since we can at least catch the vulnerabilities
earlier rather than wait for the developer to code. Making a Top Ten for
Architect though is going to be a llittle more difficult because the
context is not very apparent initially. And without the initial context,
creating a list makes little sense.

    A better option would be to evangelize Threat Modeling. This will
create the necessary awareness needed for the security architects and
thereby prevent at least potential vulnerabilities from being exploited
during the design stage itself.

    Therefore coming up with stringer threat modeling guide would be a
better option I feel.

Thanks & Regards,
~Venki



On Wed, Sep 8, 2010 at 6:10 PM, James McGovern <JMcGovern at virtusa.com>
wrote:

Does anyone else think starting a project to create a Top Ten list for
Software Architects has merit? Since my past project of starting a
certification resulted in a fail, I am game to try again and see if we
can create a win...

 

James McGovern
Insurance SBU 

Virtusa Corporation

100 Northfield Drive, Suite 305 | Windsor, CT | 06095

Phone:  860 688 9900 Ext:  1037 | Facsimile:  860 688 2890  

Error! Filename not specified. <http://www.virtusa.com/>  Error!
Filename not specified. <http://www.virtusa.com/blog/>  Error! Filename
not specified. <https://twitter.com/VirtusaCorp>  Error! Filename not
specified. <http://www.linkedin.com/companies/virtusa>  Error! Filename
not specified. <http://www.facebook.com/VirtusaCorp> 

 

From: antonio.fontes at gmail.com [mailto:antonio.fontes at gmail.com] On
Behalf Of AF
Sent: Tuesday, September 07, 2010 10:33 AM
To: James McGovern
Subject: Re: [Owasp-leaders] Reaching developers = cooperative
hackathons

 

 

On Tue, Sep 7, 2010 at 3:48 PM, James McGovern <JMcGovern at virtusa.com>
wrote:

We can also agree that many of the successful attacks aren't really
caused by coding mistakes of developers, but really can be attributed to
suboptimal architecture decisions made by some architect who threw a
design over the wall without understanding the ramifications of their
choices. What if we collectively thought of a Top Ten list for
Architects to consider when designing software...

 

 

Definitely YES!

 

Virtusa was recently ranked and featured in 2010 Global Services 100,
IAOP's 2010 Global Outsourcing 100 sub-list, 2009 Deloitte Technology
Fast 500 and 2009 Dataquest-IDC Best Employers Survey among others.
 
------------------------------------------------------------------------
---------------------
 
This message, including any attachments, contains confidential
information intended for a specific individual and purpose, and is
intended for the addressee only. Any unauthorized disclosure, use,
dissemination, copying, or distribution of this message or any of its
attachments or the information contained in this e-mail, or the taking
of any action based on it, is strictly prohibited. If you are not the
intended recipient, please notify the sender immediately by return
e-mail and delete this message.
 
------------------------------------------------------------------------
---------------------


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders

 


Virtusa was recently ranked and featured in 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100 sub-list, 2009 Deloitte Technology Fast 500 and 2009 Dataquest-IDC Best Employers Survey among others.

---------------------------------------------------------------------------------------------

This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is intended for the addressee only. Any unauthorized disclosure, use, dissemination, copying, or distribution of this message or any of its attachments or the information contained in this e-mail, or the taking of any action based on it, is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail and delete this message.

---------------------------------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100915/8e79e0a4/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1397 bytes
Desc: image001.jpg
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100915/8e79e0a4/attachment-0001.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 744 bytes
Desc: image002.gif
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100915/8e79e0a4/attachment-0004.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1211 bytes
Desc: image003.gif
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100915/8e79e0a4/attachment-0005.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 789 bytes
Desc: image004.gif
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100915/8e79e0a4/attachment-0006.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 763 bytes
Desc: image005.gif
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100915/8e79e0a4/attachment-0007.gif 


More information about the OWASP-Leaders mailing list