[Owasp-leaders] Reaching developers = cooperative hackathons

Jim Manico jim.manico at owasp.org
Sat Sep 11 15:21:46 EDT 2010


Suppose you use a mobile app which takes HTML input using a widget like TinyMCE. I'd recommend AntiSamy-like HTML policy-based input validation as part of your website defense strategy. Or suppose your mobile app uses an HTML rendering component (WebOS), you may need to contextually encode in the mobile app itself. I respectfully disagree, Stephen. 

Jim Manico
jim at manico.net

On Sep 11, 2010, at 9:14 AM, Stephen de Vries <stephen at twisteddelight.org> wrote:

> 
> Hi Jim,
> 
>> XSS still applies to the mobile world. Most mobile apps are tied to a website and can be a vector for submitting XSS payloads.
> 
> Mmmm, technically the issue is with the web app for not encoding the XSS payload.  The fact that the payload was injected via the mobile app isn't a flaw in the mobile client, it's a flaw on the web app side.
> 
> Stephen
> 
> 
>> 
>> On Sep 10, 2010, at 8:02 AM, Stephen de Vries <stephen at twisteddelight.org> wrote:
>> 
>>> 
>>> "Mobile security" means different things to different people.  For the purposes of creating another top ten IMO we should not consider any browser based app as a mobile app.  What we'll be left with is a generic client-server top ten, with a few sprinkles of mobile specific issues.  Comparing to existing web top ten:
>>> 
>>> A1: Injection - still applies
>>> 
>>> A2: Cross-Site Scripting (XSS) - N/A
>>> 
>>> A3: Broken Authentication and Session Management - Still applies, although session man will need changing.  Broken auth might include things like using the mobile number or IMEI as a credential.  Then again that doesn't apply to tablet which are also now "mobile" devices.
>>> 
>>> A4: Insecure Direct Object References - N/A in it's current form.  Direct access to objects passed over RMI maybe.
>>> 
>>> A5: Cross-Site Request Forgery (CSRF) - N/A
>>> 
>>> A6: Security Misconfiguration - still applies
>>> 
>>> A7: Insecure Cryptographic Storage - still applies
>>> 
>>> A8: Failure to Restrict URL Access - N/A in current form.  Could be changed to Access Control Failure, or Access Control enforced on the client side.
>>> 
>>> A9: Insufficient Transport Layer Protection - still applies
>>> 
>>> A10: Unvalidated Redirects and Forwards - N/A.
>>> 
>>> For the additional issues, the biggies will be implementing security functionality on the client rather than the server and persistent storage on the client given the increased risk of compromise of the device itself.
>>> 
>>> 
>>> Stephen
>>> 
>>>> 
>>>> 
>>>> On Fri, Sep 10, 2010 at 10:34 AM, Dave Wichers <dave.wichers at owasp.org> wrote:
>>>> I’d be happy to see both styles of Top 10’s developed.
>>>> 
>>>> 
>>>> Regarding the Top 10 for Mobile. I’d love for a group of mobile security experts to explore whether it truly is different than the existing Top 10 and why. And then let us know what they have discovered and have that reviewed by the community. If the rough consensus is that it is truly different, then it would be great to write one. If the consensus is that it is very similar, maybe we should write an ‘interpretation’ of the Top 10 in the Mobile environment, or if, we decide its essentially the same set of risks, then we should state that publicly on the wiki.
>>>> 
>>>> 
>>>> I don’t know which way it will fall, but I’d love to hear what people think on this subject.
>>>> 
>>>> 
>>>> -Dave
>>>> 
>>>> 
>>>> From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Jim Manico
>>>> Sent: Thursday, September 09, 2010 11:58 AM
>>>> 
>>>> 
>>>> To: owasp-leaders at lists.owasp.org
>>>> Subject: Re: [Owasp-leaders] Reaching developers = cooperative hackathons
>>>> 
>>>> 
>>>> 
>>>> More importantly, I think we need to put •language specific• Top Tens' out front.
>>>> 
>>>> 
>>>> OWASP Top Ten for PHP
>>>> 
>>>> OWASP Top Ten for Java
>>>> 
>>>> Etc
>>>> 
>>>> 
>>>> This will help OWASP reach developers in a more prolific way.
>>>> 
>>>> -Jim Manico
>>>> 
>>>> http://manico.net
>>>> 
>>>> 
>>>> On Sep 9, 2010, at 5:19 AM, Sherif Koussa <sherif.koussa at gmail.com> wrote:
>>>> 
>>>> Would the leaders think there is value in starting a Top Ten for Mobile Applications? Or would that lie sort of outside the boundaries of OWASP since they might not typically be "web" applications?
>>>> 
>>>> 
>>>> Regards,
>>>> 
>>>> Sherif
>>>> 
>>>> 
>>>> On Wed, Sep 8, 2010 at 10:38 AM, Dave Wichers <dave.wichers at owasp.org> wrote:
>>>> 
>>>> I would like to see more top ten lists and I think this is a reasonable list to shoot for.  And I hope it would echo similar sentiments that are presented by the OWASP Guide. And if not, they should be synced up.
>>>> 
>>>> 
>>>> I still want to get a real Top Ten for Web Services done. We took a shot back in 2008 but I haven’t had the energy to really get it completed.
>>>> 
>>>> 
>>>> -Dave
>>>> 
>>>> 
>>>> Dave Wichers
>>>> 
>>>> OWASP Top 10 Project Lead
>>>> 
>>>> 
>>>> From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of James McGovern
>>>> Sent: Wednesday, September 08, 2010 8:41 AM
>>>> 
>>>> 
>>>> To: owasp-leaders at lists.owasp.org
>>>> 
>>>> Subject: Re: [Owasp-leaders] Reaching developers = cooperative hackathons
>>>> 
>>>> 
>>>> Does anyone else think starting a project to create a Top Ten list for Software Architects has merit? Since my past project of starting a certification resulted in a fail, I am game to try again and see if we can create a win…
>>>> 
>>>> 
>>>> James McGovern
>>>> Insurance SBU
>>>> 
>>>> Virtusa Corporation
>>>> 
>>>> 100 Northfield Drive, Suite 305 | Windsor, CT | 06095
>>>> 
>>>> Phone:  860 688 9900 Ext:  1037 | Facsimile:  860 688 2890  
>>>> 
>>>> 
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> 
>>>> 
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> 
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list