[Owasp-leaders] The OWASP Periodic Table Project

James Landis james.landis at owasp.org
Tue Mar 5 23:56:24 UTC 2013


Glad you asked. On the main project page, click on the tab labeled
"Periodic Table of Vulnerabilities". You'll see the first draft incarnation
covering ALL known vulnerability classes. :) (Please let me know if you
think I've missed one.)

Or, click here:
https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities#Periodic_Table_of_Vulnerabilities


On Tue, Mar 5, 2013 at 3:52 PM, Abbas Naderi <abbas.naderi at owasp.org> wrote:

> Hello guys,
> Glad to hear another very useful projecting kicking in.
> I think providing one or two examples of vulns plus the description and
> solution the OWASP Periodic Table wants to offer would set things for most
> of us, as it is really vague right now in my mind at least.
> Thanks
> -Abbas
>
> On ۱۶ اسفند ۱۳۹۱, at ۳:۲۰, James Landis <james.landis at owasp.org> wrote:
>
> I think the Periodic Table sits just one level of abstraction above this
> argument. No matter where we finally land on the output encoding vs. input
> validation debate, would we all agree that any generic secure web app
> framework (e.g. "secure" rails, "secure" struts, etc.) should automatically
> enforce both of them without requiring a developer to remember to call the
> right validation or encoding function?
>
> A flexible framework would probably want to expose configuration options
> for the filters and encoders, but for the first version of the document I'd
> only want to get as far into the implementation details as is necessary to
> make sure we know the solution is technically feasible and not going to
> kill off the entire user base for the framework.
>
> -j
>
>
> On Tue, Mar 5, 2013 at 1:31 PM, Dennis Groves <dennis.groves at owasp.org>wrote:
>
>>
>>  * Other odd ball contexts need their own love, probably along the lines
>>>> of IV.
>>>>
>>>
>>> Would love to see some examples.
>>>
>>> And in general, input validation is great secure coding hygiene practice
>>> and does indeed stop some injection (like when validating numeric input
>>> that lands in a query). But to stop SQL Injection, it's all about query
>>> parametrization (and proper design) for complete defense.
>>>
>>
>> Is that because your thinking of remediation and we are thinking of root
>> cause?
>> In my mind root cause and remediation are not the same, one is a how
>> (solution) the other is the why (reason). And I unfortunately, can not
>> think of any examples. :/
>>
>>
>> Dennis
>>
>> --
>> [Dennis Groves](http://about.me/**dennis.groves<http://about.me/dennis.groves>),
>> MSc
>> [Email me](mailto:[email protected]**owasp.org <dennis.groves at owasp.org>)
>> or [schedule a meeting](http://goo.gl/8sPIy).
>>
>> *This email is licensed under a [CC BY-ND 3.0](http://creativecommons.**
>> org/licenses/by-nd/3.0/deed.**en_GB<http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB>)
>> license.*
>>
>> **Please do not send me Microsoft Office/Apple iWork documents.**
>> Send [OpenDocument](http://fsf.org/**campaigns/opendocument/<http://fsf.org/campaigns/opendocument/>)
>> instead!
>> Stand up for your freedom to install [free software](http://www.fsf.org/*
>> *campaigns/secure-boot/**statement<http://www.fsf.org/campaigns/secure-boot/statement>
>> ).
>>
>>  The idea that some lives matter less is the root of all that’s wrong
>>> with the world. -- Paul Farmer
>>>
>> ______________________________**_________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/**mailman/listinfo/owasp-leaders<https://lists.owasp.org/mailman/listinfo/owasp-leaders>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130305/af66434d/attachment-0001.html>


More information about the OWASP-Leaders mailing list