[Owasp-leaders] Web Service Cheaters!

mark curphey mark at curphey.com
Fri Oct 7 00:12:53 EDT 2011


Great stuff. Some notes on sections as I digest it

Server Auth

Server Authentication

Transport level authentication verifies the identity of the user or the system trying to connect to the service. Usually, transport authentication is a functional of the container of the web service. 
Rule - Basic Authentication has to be conducted using HTTP over SSL 
Rule - Client Certificate Authentication using HTTP over SSL to be used if the client and server need to authenticate each other

Notes
Its called Server auth but talks about user auth. which might be a little confusing. 
Is it with describing mutual TLS auth (or clarifying that there is client auth, server auth and mutual auth options) under the client cert auth ?
I think the basic auth rule should read "Basic HTTP AuthN should be over TLS/ SSL" ?

Great stuff, more notes to come…..



On Oct 6, 2011, at 8:52 PM, Jim Manico wrote:

> Hello Leaders,
> 
> We just pushed our first version of the Web Service Security cheat sheet here:
> 
> https://www.owasp.org/index.php/Web_Service_Security_Cheat_Sheet
> 
> Thanks to Gunnar Peterson for getting us started, to Sherif Koussa for driving it home, and for that many others who helped provide content and suggestions.
> 
> I would be very grateful if the web service security experts in our community would take a peek (its a fast read) and provide comments. 
> 
> Thanks all,
> 
> -- 
> Jim Manico
> 
> Connections Committee Chair
> Cheatsheet Series Product Manager
> OWASP Podcast Producer/Host
> 
> jim at owasp.org
> www.owasp.org
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders



More information about the OWASP-Leaders mailing list