[Owasp-leaders] The OWASP Periodic Table Project

James Landis james.landis at owasp.org
Tue Mar 5 23:50:14 UTC 2013


I think the Periodic Table sits just one level of abstraction above this
argument. No matter where we finally land on the output encoding vs. input
validation debate, would we all agree that any generic secure web app
framework (e.g. "secure" rails, "secure" struts, etc.) should automatically
enforce both of them without requiring a developer to remember to call the
right validation or encoding function?

A flexible framework would probably want to expose configuration options
for the filters and encoders, but for the first version of the document I'd
only want to get as far into the implementation details as is necessary to
make sure we know the solution is technically feasible and not going to
kill off the entire user base for the framework.

-j


On Tue, Mar 5, 2013 at 1:31 PM, Dennis Groves <dennis.groves at owasp.org>wrote:

>
>  * Other odd ball contexts need their own love, probably along the lines
>>> of IV.
>>>
>>
>> Would love to see some examples.
>>
>> And in general, input validation is great secure coding hygiene practice
>> and does indeed stop some injection (like when validating numeric input
>> that lands in a query). But to stop SQL Injection, it's all about query
>> parametrization (and proper design) for complete defense.
>>
>
> Is that because your thinking of remediation and we are thinking of root
> cause?
> In my mind root cause and remediation are not the same, one is a how
> (solution) the other is the why (reason). And I unfortunately, can not
> think of any examples. :/
>
>
> Dennis
>
> --
> [Dennis Groves](http://about.me/**dennis.groves<http://about.me/dennis.groves>),
> MSc
> [Email me](mailto:[email protected]**owasp.org <dennis.groves at owasp.org>) or
> [schedule a meeting](http://goo.gl/8sPIy).
>
> *This email is licensed under a [CC BY-ND 3.0](http://creativecommons.**
> org/licenses/by-nd/3.0/deed.**en_GB<http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB>)
> license.*
>
> **Please do not send me Microsoft Office/Apple iWork documents.**
> Send [OpenDocument](http://fsf.org/**campaigns/opendocument/<http://fsf.org/campaigns/opendocument/>)
> instead!
> Stand up for your freedom to install [free software](http://www.fsf.org/**
> campaigns/secure-boot/**statement<http://www.fsf.org/campaigns/secure-boot/statement>
> ).
>
>  The idea that some lives matter less is the root of all that’s wrong with
>> the world. -- Paul Farmer
>>
> ______________________________**_________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/**mailman/listinfo/owasp-leaders<https://lists.owasp.org/mailman/listinfo/owasp-leaders>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130305/1175d2cf/attachment-0001.html>


More information about the OWASP-Leaders mailing list