[Owasp-leaders] Instead of OWASP libraries, why don't we ...

Tim Morgan tim.morgan at owasp.org
Sat Nov 21 18:13:38 UTC 2015


Josh, Jim, Johanna, and Kevin: 

Thanks much for taking the time to watch my presentation.  I know
everyone in this business has a lot on their plate.


It should be easy enough to approach smaller projects and frameworks,
but in order to make the most difference, I think we need to engage the
*big* development platform maintainers.  Of course if I just contact
Microsoft's .NET maintainers or Oracle's Java maintainers myself and
ask them to change their APIs, that's not going to go very far.  But
if we have a team of people, a structured framework for what safe APIs
look like, and the OWASP brand behind us, I think that could allow us
to get traction.

As for a framework, we need to define the properties of a secure API.
Of course APIs are hard to put in a box... they are varied and do many
different things.  However, one high-profile family of vulnerabilities
is Injections.  I think we can easily come up with a framework on how
to provide APIs that discourage injections, and that would be a great
place to start.

Once we have a framework, we could have individual volunteers (or even
paid technical experts) provide assessments of published APIs, much
like I did here:
  http://blog.blindspotsecurity.com/2015/01/multiple-ldap-apis-are-asking-for.html
  (See the table toward the end.)

It doesn't take too much effort to compare APIs once you have a simple
checklist like this.  Then by publishing the findings in the Wiki (or
something similar), we put implicit pressure on those platforms that
are not up to snuff.  Of course we'll also want to directly contact
each platform maintainer and suggest specific changes.  Perhaps even
provide patches, where appropriate.  The changes to APIs need not be
dramatic or require a great deal of work in many cases, which
hopefully means they will actually be adopted.


Ok, enough for now.  I think next steps would be to form a team of
volunteers who want to work on this.  This kind of project very much
needs input from numerous security people.

tim



On Sat, Nov 21, 2015 at 09:56:42AM -0600, Josh Sokol wrote:
> I agree with what Tim said.  For example, if PHPSec is so bad that one of
> the original developers said we should ditch it, maybe we should look for
> the best 3rd party tool out there (
> https://github.com/padraic/SecurityMultiTool perhaps) and give them
> resources to help improve it and drive people to it.  OWASP should be all
> about giving people the right resources, not necessarily having to create
> them ourselves.
> 
> ~josh
> 
> On Sat, Nov 21, 2015 at 9:47 AM, Jim Manico <jim.manico at owasp.org> wrote:
> 
> > I think that's a great idea, Johanna. It's wise of us to spend our funds
> > on providing these key defensive projects with additional assurance.
> >
> > In general, I'd like to see OWASP bring in more •technical• resources to
> > help with projects, wiki and infrastructure enhancement. I also thinks Tims
> > idea about helping common frameworks with security engineering is spot on
> > and I've love to see us invest in those efforts. I've submitted a few
> > suggestions to the board and it's being discussed in the context of the
> > 2016 budget.
> >
> > --
> > Jim Manico
> > Global Board Member
> > OWASP Foundation
> > https://www.owasp.org
> > Join me in Rome for AppSecEU 2016!
> >
> > On Nov 21, 2015, at 9:39 AM, johanna curiel curiel <
> > johanna.curiel at owasp.org> wrote:
> >
> > >>Or offer bounties for specific platform security tasks.
> >
> > Why not as part of a Project review process to offer bounties for testing
> > the project at security level?
> > We have some key projects like CRSFGuard and Java HTML Sanitizer that are
> > used as 'Protection Libraries' against certain attacks and many companies
> > are depending on these projects to secure their sites. Even I know some
> > using ESAPI still
> >
> >
> >
> > On Fri, Nov 20, 2015 at 11:00 PM, Jim Manico <jim.manico at owasp.org> wrote:
> >
> >> > Does this resonate with anyone?
> >>
> >> Spot on. It's hard work and takes a lot of selfless dedication.
> >>
> >> I feel OWASP should consider spending some of it's funds to hire
> >> developers to be dedicated to some of these tasks. Or offer bounties for
> >> specific platform security tasks. I think that would accelerate this kind
> >> of activity, significantly....
> >>
> >> Auto-escaping templates, CSP integration, solid ABAC implementations,
> >> default secure headers, solid integrated password storage, etc etc all by
> >> default all integrated into common development platforms.
> >>
> >> I think this would be an awesome way to serve the mission. Anyone agree?
> >>
> >> --
> >> Jim Manico
> >> Global Board Member
> >> OWASP Foundation
> >> https://www.owasp.org
> >> Join me in Rome for AppSecEU 2016!
> >>
> >> On Nov 20, 2015, at 4:10 PM, Tim Morgan <tim.morgan at owasp.org> wrote:
> >>
> >> Does this resonate with anyone?
> >>
> >>
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >>
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> >

> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders



More information about the OWASP-Leaders mailing list