[Owasp-leaders] Secure Coding Workshop: Status Update

John Steven John.Steven at owasp.org
Wed Feb 2 12:10:48 EST 2011


I've updated the "Protecting Client-Side Information" subsection of
the Secure Coding Workshop Wiki page. It now includes:

* Development contexts/environments used;
* Scenarios over which we'll consider them; and
* Specific work stream we'll go through to 'consider' each and produce code.

I also added deliverable items and objectives.

I'd anxiously like to draw more interested attendees to this difficult
topic, and make some progress. Feel free to look at the wiki:


Feel free to send me suggestions, feedback, or rants... or just throw
things you've pondered but for which you don't have solutions out


On Tue, Jan 25, 2011 at 8:17 AM, John Steven <jsteven at maladjustment.org> wrote:
> All,
> [Sum]
> Last night we honed in on our track sub-section focuses. Two
> sub-sections come to the summit with more content available and a
> clearer picture: IV and AppSensor.
> Jim suggested an "Attack and Defense" style offering where he'd bring
> enough application and attack harness code to have participants in
> roles either building defense against encoding-based attacks or
> proving evasion of those protections built by others. He suggested
> participants switch roles within his session so that they gain both
> perspectives. He suggested building competition kit (bells/whistles
> for when an evasion succeeds, etc.)  to raise interest / sex-appeal.
> Mike has a cut-and-dried task in his mind: we have the AppSensor
> framework and need more example sensors. He'd like to focus his
> session on [that: building those].
> I have, for my part, come up with a few goals in the context of
> 'protecting information client-side' and have documented on the
> sub-track page (PI, App-specific info, etc.). I am concerned about
> dragging participants through those goals in two or three contexts
> (Classic n-tier, phone OS, and RIA). Currently, I'm trying to build
> sub-section design to take these ideas into work-able chunks. My
> principal concern remains [potential audience] familiarity with phone
> OSes and RIA tech stacks.
> Dan reports a similar difficulty in working his persisting data
> section. He and Jim are going to  mine their existing code bases for
> usable snippet material. Dan, particularly, is concerned about
> representing properties of 'real world' data models that that solution
> definition/implementation treats issues developers confront beyond,
> "Flip this config setting and you're good."
> [Decisions]
> * Move from GITHUB --> Google Code (SVN)  - Completed; jOHN has
> already exhausted his tears on the matter.
> https://code.google.com/p/secure-coding-workshop/
> * Focus each sub-section on 'getting something back' from the session
> to share with the community in addition to raising awareness and
> disseminating knowledge
> * Decision to work with snippets rather than demand a full "sample app."
> * Meet 'every other day' until summit in prep. Tentatively, this will
> be on Tuesday, Thursday, and Saturday.
>  [Actions]
> * Each person held themselves to different prep-work activities but we
> agreed that for the next call to come up with the specific goals for:
>   * What we want participants to 'give back' to the sub-section in
> analysis/code/test/docs
>   * What we want participants to 'leave understanding' that they
> didn't when they arrived.
> I'll report status each week to cut down list traffic,
> -jOHN

More information about the OWASP-Leaders mailing list