[Owasp-leaders] The OWASP Periodic Table Project

Jon Passki jon.passki at owasp.org
Tue Mar 5 21:05:20 UTC 2013


On Mar 5, 2013, at 3:47 PM, Jim Manico wrote:

> Input validation is not the right control for SQL Injection, Dennis. https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet

Input validation (IV) isn't right most of the time. However, if the tainted data is going into a context like a table name, an identifier, or other non-parameterizable contexts then something needs to occur:
* SQL table names possibly could be escaped, depending upon the dialect in use. They still might need some type of filtering / IV.
* SQL identifiers ought to be validated from a known list of acceptable values.
* Full SQL statements probably should have access-controls and anti-CSRF protections in place. (hopefully!)
* Other odd ball contexts need their own love, probably along the lines of IV.


> But otherwise you are right on. What you describe below is the direction I think James will be taking this.
> 
> Definitely a project to watch in my opinion.
> 
> Aloha,
> 
> - Jim Manico
> @Manicode
> 
> 
>> On 5 Mar 2013, at 20:35, Eoin wrote:
>> 
>>> So the periodic table is a list of vulns right? Best we share the work
>>> we did on the owasp common numbering system?
>> 
>> Not a list of vulns, the periodic table is a taxonomy of similarities.
>> Gases, liquids, solids etc… I imagine a taxonomy of vulns: input
>> validation, authorisation, access control, etc.. (the top 10 controls?)
>> Within the taxonomy of gasses are air, and helium for example. I further
>> imagine that input validation will have XSS & SQLi for example. I would
>> further imagine that the OWASP periodic table has its own shape that
>> doesn't much resemble the actual periodic table…
>> 
>> so I see it as a project to group known issues according to related root
>> causes.
>> 
>> Is this how others view this project?
>> 
>> 
>> 
>> Dennis
>> 
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders



More information about the OWASP-Leaders mailing list