[Owasp_framework_security_project] Kicking off the project

James Landis james.landis at owasp.org
Sat Jan 18 00:25:11 UTC 2014


Awesome! I'm super excited to see this project rolling!

Manico and I and a few others started putting together some thoughts on
this a few years ago as well, somewhat patterned after WAFEC:

https://docs.google.com/document/d/1XwvFS0dTwue77JlsggFg7KAxPPMIwc4iKMWwXpzfD2A/edit?usp=sharing

A few points of discussion to consider (we can spin these off into
different threads if necessary):

1. Perhaps some introductions of the working group members would be in
order? :)

2. I think one of the key insights we had a few years ago is that a
framework falls somewhere on a continuum between "vulnerable out of the
box" and "developer can't introduce the vuln even if they tried". That is a
slightly different approach than the current one in the spreadsheet, though
some of this is captured in column B ("present/not present/in progress")
and column D ("en/disabled by default"). Punishment or reward for reaching
either of these two additional and extreme ends of the spectrum might be
valuable to capture in the scoring function.

3. The continuum in #1 sort of suggests that "vulnerabilities" are used
instead of "protections", though there does exist a discrete mapping
between the two and it might not be too hard to create different "views" of
the data for users who'd want to see how the frameworks stack up through
one lens or the other. My personal guess is that most groups that would be
making risk decisions about frameworks (product managers, engineering
managers, security teams) would be more comfortable with a
vulnerability-based view as opposed to a protection-based view, but of
course the only way to determine how well a framework does with a
vulnerability class is to measure the protections it has in place to
eliminate that vulnerability. So this probably is a matter of presentation
much more than it is a matter of measurement methodology.

4. If this group agrees with how the OWASP Periodic Table divides up the
protections between perimeter/platform, frameworks, browser/standards, and
custom code solutions, we can just go right down the list at
https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities#tab=Periodic_Table_of_Vulnerabilitiesand
make sure all of the framework solution requirements documented there
are measured by the Framework Security project. Naturally, I'd want the
Periodic Table to be informed by any insights we gain on this project, as
well.

-j




On Wed, Jan 15, 2014 at 5:18 AM, Jerry Hoff <jerry at owasp.org> wrote:

> Hi team,
>
> I worked on a similar project a few years ago - it's probably out of date
> but we might be able to get some good data out of it and add to the new
> project:
>
>
> https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0AjEL3xccZUtJdGlSOFk0am5ydnlTd1FOUGVZNmllb2c&pli=1#gid=0
>
> Jerry
>
> --
> Jerry Hoff
> @jerryhoff
> jerry at owasp.org
>
>
>
> On Jan 15, 2014, at 7:44 AM, Michael Coates <michael.coates at owasp.org>
> wrote:
>
> All,
>
> Thanks to those that are helping out on the Django security controls.
> We're starting to make some great progress!
>
> https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0AhSfMVkfLvsldEltRUEwMkUydVVrMkNyVW1vbGxLaXc#gid=0
>
>  I also posted in the django developer growth to see if we can get
> traction there (
> https://groups.google.com/forum/#!topic/django-developers/uc01Z2DZHh4).
> We've got a handful of views so far.
>
>
>
>
> --
> Michael Coates
> @_mwc
>
>
>
> On Tue, Jan 14, 2014 at 8:41 AM, Michael Coates <michael.coates at owasp.org>wrote:
>
>> All,
>>
>> It's time for us to get moving on this project. After introducing the
>> project I hit a ton of work and unfortunately didn't get as much time on
>> this item.
>>
>> Starting Things Up
>> The project will evolve as we gather information. For now let's start in
>> a google doc - it's easy to edit and easy for people to contribute. We also
>> need a framework to start with. I recommend we start with Django.
>>
>> Here is the google spreadsheet. Please start contributing with any info
>> you have.
>>
>>
>> https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0AhSfMVkfLvsldEltRUEwMkUydVVrMkNyVW1vbGxLaXc&usp=sharing
>>
>> Ways to help:
>> 1. Add security controls to the list
>> 2. Fill out the table with information
>> 3. Email the list with ideas on how we should continue to evolve the
>> project
>>
>>
>> Thanks!
>>
>>
>> --
>> Michael Coates
>> @_mwc
>>
>>
> _______________________________________________
> Owasp_framework_security_project mailing list
> Owasp_framework_security_project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_framework_security_project
>
>
>
> _______________________________________________
> Owasp_framework_security_project mailing list
> Owasp_framework_security_project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_framework_security_project
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_framework_security_project/attachments/20140117/5ea62474/attachment.html>


More information about the Owasp_framework_security_project mailing list