[Owasp-leaders] The OWASP Periodic Table Project

Abbas Naderi abbas.naderi at owasp.org
Tue Mar 5 23:52:42 UTC 2013


Hello guys,
Glad to hear another very useful projecting kicking in.
I think providing one or two examples of vulns plus the description and solution the OWASP Periodic Table wants to offer would set things for most of us, as it is really vague right now in my mind at least.
Thanks
-Abbas
On ۱۶ اسفند ۱۳۹۱, at ۳:۲۰, James Landis <james.landis at owasp.org> wrote:

> I think the Periodic Table sits just one level of abstraction above this argument. No matter where we finally land on the output encoding vs. input validation debate, would we all agree that any generic secure web app framework (e.g. "secure" rails, "secure" struts, etc.) should automatically enforce both of them without requiring a developer to remember to call the right validation or encoding function?
> 
> A flexible framework would probably want to expose configuration options for the filters and encoders, but for the first version of the document I'd only want to get as far into the implementation details as is necessary to make sure we know the solution is technically feasible and not going to kill off the entire user base for the framework.
> 
> -j
> 
> 
> On Tue, Mar 5, 2013 at 1:31 PM, Dennis Groves <dennis.groves at owasp.org> wrote:
> 
> * Other odd ball contexts need their own love, probably along the lines of IV.
> 
> Would love to see some examples.
> 
> And in general, input validation is great secure coding hygiene practice and does indeed stop some injection (like when validating numeric input that lands in a query). But to stop SQL Injection, it's all about query parametrization (and proper design) for complete defense.
> 
> Is that because your thinking of remediation and we are thinking of root cause?
> In my mind root cause and remediation are not the same, one is a how (solution) the other is the why (reason). And I unfortunately, can not think of any examples. :/
> 
> 
> Dennis
> 
> -- 
> [Dennis Groves](http://about.me/dennis.groves), MSc
> [Email me](mailto:dennis.groves at owasp.org) or [schedule a meeting](http://goo.gl/8sPIy).
> 
> *This email is licensed under a [CC BY-ND 3.0](http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB) license.*
> 
> **Please do not send me Microsoft Office/Apple iWork documents.**
> Send [OpenDocument](http://fsf.org/campaigns/opendocument/) instead!
> Stand up for your freedom to install [free software](http://www.fsf.org/campaigns/secure-boot/statement).
> 
> The idea that some lives matter less is the root of all that’s wrong with the world. -- Paul Farmer
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130306/595cbbe9/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4889 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130306/595cbbe9/attachment.bin>


More information about the OWASP-Leaders mailing list