Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Welcome to a new year at WebAppSec

Welcome to a new year at WebAppSec

From: Andrew van der Stock <vanderaj_at_owasp.org>
Date: Sun, 6 Jan 2008 21:45:40 -0500

Hi there,

This year is an opportunity to fundamentally improve things in the web
app sec world.

Some of the things I really think we should do this year is reach out
to the frameworks, to make common webappsec deficiencies go away.
Permanently.

1. XSS. We really need to touch base with them so that apps developed
using common frameworks are un-XSSable. However, this is not the
entire story - XSS is a family of attacks deriving from encoding
issues. We need to engage with the framework developers and help them
come up with a simple way for apps to only access canoncalized input
(regardless of source) using white listing (positive validation).

2. Injections. We not only need frameworks to remove access to
concatenating SQL query interfaces, we need for LDAP, XML and other
common interfaces to be uninjectable as well. We know that
parameterized statements eliminate SQL injection, we need similar
interfaces for other common text based protocols

3. Eliminating or disabling unsafe API, like PHP's allow_url_fopen and
wrappers by default. There are a tiny fraction of applications which
need this type of functionality, and they should ask for it - with the
WARNING WARNING WARNING klaxons blaring

4. Make common webappsec blunders harder to justify by providing a
common framework to enable safer options, such as safe indirect object
references, and so on. OWASP has developed the ESAPI, an enterprise
security API. It satisfies a number of common "I told you so" issues,
such as membership, indirect object references, and so on. I am sure
we will see other ports other than Java.

5. Connecting to the developer community. We're converted. We know
what works - but most of us on this list do not develop the apps, only
review them. Developers always seem to be surprised when we 0wn their
apps. Let's start talking to them - a lot.

What are your favorite developer conferences?

What are your thoughts on what could be improved?

thanks,
Andrew van der Stock
Lead Author, OWASP Guide

-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
Received on Jan 06 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos