[Owasp-sydney] Greetings - OWASP Testing Guide v3

NG, Paul (GE Capital, Non-GE) paul.ng1 at ge.com
Mon Aug 16 20:30:31 EDT 2010


Ooops. I found the Source for ESAPI ..my bad. sorry.

If you know anything interest group on secure-AJAX, please fill me in
;-). Thanks! 


Regards, 
Paul Ng 



-----Original Message-----
From: NG, Paul (GE Capital, Non-GE) 
Sent: Tuesday, August 17, 2010 10:16 AM
To: 'Christian Heinrich'
Cc: Dan McGrath; Owasp-sydney at lists.owasp.org;
leander.nott at newcastlepermanent.com.au
Subject: RE: [Owasp-sydney] Greetings - OWASP Testing Guide v3

Hi Christian
I appreciate you bringing to my attention of ESAPI. At first glance, it
looks lean, pretty and 'mean' ;-). However, I might have to ask to take
a look in the source of the assembly and i can't seem to locate with the
sitemap given.

I'm also trying to incorporate rich-client capabilities to our web
application and AJAX.NET is the option available. However, as with AJAX,
it's classicly known that the trade-off is that some server side
functionalities are now run on the client-browser end to fuel rich user
experiences - in essence exported server functionalities and protected
data are now imported into browser's end. I'm skeptical about how secure
AJAX is , how it can open loopholes for hacking. Whilst maintaining
healthy skeptism on AJAX, I'm not sure how sensitive information flow to
the client side can be secured and am figuring out if there's a common
standard/framework out there give a peace on mind on this subject. 
Is there an OWASP interest group I could join to investigate. Any
current identified common exploits of AJAX.NET that i could take note
of?


Regards,
Paul Ng 


-----Original Message-----
From: Christian Heinrich [mailto:christian.heinrich at owasp.org] 
Sent: Tuesday, August 17, 2010 8:15 AM
To: NG, Paul (GE Capital, Non-GE)
Cc: Dan McGrath; Owasp-sydney at lists.owasp.org;
leander.nott at newcastlepermanent.com.au
Subject: Re: [Owasp-sydney] Greetings - OWASP Testing Guide v3

Paul,

As your interest is defensive coding I would recommend you consider
reviewing
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
- I mentioned ESAPI during kuza55 WAF presentation at the recent Sydney
Chapter Meeting.

You might also want to highlight http://www.opensamm.org/ (also an OWASP
Project) to your senior management to improve the success of introducing
a secure development culture within your organization - OpenSAMM is also
being presented at the AISA Sydney Branch Meeting on
6 October.

On Mon, Aug 16, 2010 at 12:13 PM, NG, Paul (GE Capital, Non-GE)
<paul.ng1 at ge.com> wrote:
> Dear Dan, Leann
> It's good to see such enthusiasm in web app security. I'm a web 
> application developer myself and only until recently have gotten 
> really interested in doing defensive coding against common web
application security breaches.
>
> If you browse to links below, it has a PDF document for download and 
> it very comprehensive and it does present some really 'real' things 
> you can customize into your application security checklist & testcases

> that can be incorporated into the Web Software SDLC? Just this would
help...
>
> http://www.owasp.org/index.php/Category:OWASP_Testing_Project

--
Regards,
Christian Heinrich - http://www.owasp.org/index.php/user:cmlh
OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking


DISCLAIMER:
This e-mail and any attachment is intended only for the exclusive and confidential use of the addressee(s). If you are not the intended recipient, any use, interference with, disclosure or copying of this material is unauthorised and prohibited. If you have received this message in error, please notify the sender by return e-mail immediately and delete the message from your computer without making any copies. Please see http://www.ge.com/privacy.html for information about our privacy practices.


More information about the Owasp-sydney mailing list