[Owasp_framework_security_project] Welcome!

James Landis james.landis at owasp.org
Tue Sep 17 20:14:01 UTC 2013


Why not SAMEORIGIN by default? :)
On Sep 16, 2013 10:03 AM, "Chris Varenhorst" <varenc at gmail.com> wrote:

> hey all,
>
> I'm Chris and I'm a software engineer at Dropbox where I like to do
> security stuff sometimes.
>
> I'm also irrationally excited about getting web frameworks to send
> X-Frame-Options: DENY by default.
>
> -Chris
>
>
> On Sun, Sep 15, 2013 at 9:36 AM, James Landis <james.landis at owasp.org>wrote:
>
>> Michael, are you going to introduce yourself, too? :)
>>
>> I'm a SDLC/governance guy, currently living in the Bay Area and working
>> for a little company called eBay, though I cut my teeth doing consulting
>> work around the world for many years prior. Much of that work was app pen
>> testing and training. It got frustrating over time finding the same exact
>> problems over and over again. It got to the point where I would ask my
>> customers if they were doing any of a short list of things, and if not I
>> would tell them not to waste money doing pen tests since I could already
>> tell them what they were going to find.
>>
>> I'm also the project lead for the OWASP Periodic Table. The main guiding
>> principle of that project is that, like buffer overflow, most vulnerability
>> classes can be solved before an app developer even has a chance to write
>> the first line of custom code. One of the things I think that means is that
>> a framework shouldn't just expose security APIs, but it should be
>> architected in such a way as to make it impossible to even make security
>> mistakes at all! I'm excited to be a part of this effort to see if the
>> theories we have can actually be implemented in the real world. As part of
>> the project, we've already done a ton of legwork documenting high-level
>> framework solution requirements; I'm looking forward to seeing how that
>> rubber meets the road when it comes to low-level implementation!
>>
>> Thanks for the opportunity to join this team.
>>
>> -j
>>  On Sep 11, 2013 8:37 PM, "Michael Coates" <michael.coates at owasp.org>
>> wrote:
>>
>>> Welcome to the OWASP Framework Security Project,
>>>
>>> We have our project page setup here:
>>> https://www.owasp.org/index.php/OWASP_Framework_Security_Project
>>> an example of the matrix we can build for framework controls is listed
>>> here:
>>>
>>> https://www.owasp.org/index.php/OWASP_Framework_Security_Project#tab=Frameworks__26_Security_Controls
>>>
>>> I've added some of the high level information on the project and our
>>> goals.
>>>
>>> We need to do a few things first:
>>> 1. What type of people do we have on the list? Please do introduce
>>> yourself and also indicate if you are a Framework Developer, Security
>>> Professional, a
>>> Framework Leader or something else all together.
>>>
>>> 2. We need to decide on the frameworks and controls we want to focus on
>>> first. This will be partially impacted by our initial resources and
>>> connections
>>>
>>> 3. We need to build the list of available security controls and which
>>> frameworks support what (starting with the framework we picked in step 2).
>>>
>>> Then we'll move into coordination with the framework teams and go from
>>> there.
>>>
>>> With that, welcome! Please introduce yourself to the list.
>>>
>>>
>>> *
>>> *
>>>
>>> --
>>> Michael Coates | OWASP | @_mwc
>>>
>>> _______________________________________________
>>> Owasp_framework_security_project mailing list
>>> Owasp_framework_security_project at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp_framework_security_project
>>>
>>>
>> _______________________________________________
>> Owasp_framework_security_project mailing list
>> Owasp_framework_security_project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp_framework_security_project
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_framework_security_project/attachments/20130917/6cda42a6/attachment.html>


More information about the Owasp_framework_security_project mailing list