[Owasp-leaders] The OWASP Periodic Table Project

Eoin eoin.keary at owasp.org
Tue Mar 5 21:11:27 UTC 2013


You need both. Think onion. It certainly does not hurt.

Eoin Keary
Owasp Global Board
+353 87 977 2988


On 5 Mar 2013, at 22:05, Jon Passki <jon.passki at owasp.org> wrote:

> 
> On Mar 5, 2013, at 3:47 PM, Jim Manico wrote:
> 
>> Input validation is not the right control for SQL Injection, Dennis. https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet
> 
> Input validation (IV) isn't right most of the time. However, if the tainted data is going into a context like a table name, an identifier, or other non-parameterizable contexts then something needs to occur:
> * SQL table names possibly could be escaped, depending upon the dialect in use. They still might need some type of filtering / IV.
> * SQL identifiers ought to be validated from a known list of acceptable values.
> * Full SQL statements probably should have access-controls and anti-CSRF protections in place. (hopefully!)
> * Other odd ball contexts need their own love, probably along the lines of IV.
> 
> 
>> But otherwise you are right on. What you describe below is the direction I think James will be taking this.
>> 
>> Definitely a project to watch in my opinion.
>> 
>> Aloha,
>> 
>> - Jim Manico
>> @Manicode
>> 
>> 
>>> On 5 Mar 2013, at 20:35, Eoin wrote:
>>> 
>>>> So the periodic table is a list of vulns right? Best we share the work
>>>> we did on the owasp common numbering system?
>>> 
>>> Not a list of vulns, the periodic table is a taxonomy of similarities.
>>> Gases, liquids, solids etc… I imagine a taxonomy of vulns: input
>>> validation, authorisation, access control, etc.. (the top 10 controls?)
>>> Within the taxonomy of gasses are air, and helium for example. I further
>>> imagine that input validation will have XSS & SQLi for example. I would
>>> further imagine that the OWASP periodic table has its own shape that
>>> doesn't much resemble the actual periodic table…
>>> 
>>> so I see it as a project to group known issues according to related root
>>> causes.
>>> 
>>> Is this how others view this project?
>>> 
>>> 
>>> 
>>> Dennis
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list