Hi Rohit,
A lot of effort has clearly gone into this document. I haven't gone
through it with a fine-toothed comb, but it seems like a reasonably
thorough discussion of security issues affecting web frameworks.
However, if you're looking for frank feedback, here goes:
Who exactly is the intended audience for this document? What is/are
the action item(s) stemming from it?
More broadly, what it is you are hoping to achieve by writing this document?
Reading between the lines, I'm guessing you would like to see every
web framework in the world adhering to best practices, with no obvious
and know security vulnerabilities. This is a laudable goal, and I
certainly share this aspiration.
But there are two ways to achieve this goal. The first is to sit in a
tower, passing down Solomonic judgements on "the way it should be".
The second is to actually get involved and help make the change you
want to see in the world.
Writing manifestos may give you a sense of personal satisfaction at
the volume of material you have generated, but it doesn't actually
change the world at all. It merely provides the reference material
that others may be able to use to inform the changes that they are
making. This is a useful resource, but it isn't *in itself* a catalyst
for change.
I'm not suggesting that you should spend all your time being a Django
developer (although I certainly wouldn't turn away the extra help). My
point is that in volunteer open source communities, the only way to
actually bring about change is to actively engage a developer
community. Become a known, trusted voice -- in this case, on security
issues.
For example, the Django-dev list has just recently gone through a
series of discussions about our default password hashing policies.
Some of these discussions have hinged on interpretations of what
constitutes best practice in these areas. This would be a golden
opportunity for someone with relevant experience and knowledge to
speak up, offer advice gleaned from experience with other frameworks,
and generally establish topic expertise.
There are other examples of people doing this very effectively. Graham
Dumpleton is the developer of mod_wsgi. He's isn't a member of the
Django core team, but he is *very* well known to the Django community
because he is actively involved in our mailing lists, issue tracker,
and so on. If a WSGI/Apache configuration related issue arises, Graham
is usually there giving advice. And he doesn't just do this for Django
-- he lurks in a similar way on other Python frameworks. He is
actively involved across the Python web framework community, pushing
an agenda that he is passionate about -- the WSGI interface to Apache.
OWASP already maintains a list of vulnerabilities, threat and attacks.
These are very well documented and explained analyses of individual
potential problems, and as a whole, serves as a magnificent reference
resource.
Compiling this list (or a subset of that list) into a monolithic
"manifesto" doesn't improve the quality or prescience of the
information. A manifesto is a lovely document that I might read once,
perhaps bookmark or tweet, and then move on. That doesn't actually
help bring about any change.
What *would* help bring about change is having someone with expertise
actually getting involved -- participating in discussions, starting
new discussions, raising tickets, auditing code when new problems are
identified, and so on.
tl;dr -- You won't get any argument out of me that the goals of OWASP
are important. There are things that are on OWASP's lists that Django
could do better. Sometimes this is out of ignorance, sometimes it's a
matter of history, and sometimes there are other concerns. But writing
long documents describing what other people should do doesn't help
change anything -- we need people to actually get involved and engage
us in a specific discussions about what we could be doing better.
Yours,
Russ Magee %-)
I had a skim of the document, too, and my feelings are pretty close to
Russ's, so I won't bother with any specific feedback -- he basically
speaks for me, too.
To build off Russ, though, I have a bit of a meta meta-suggestion
about OWASP in general. One huge problem I have as a software
developer is that security is a bit of blind spot: I know a bit I've
picked up here and there, but I really only know enough to not trust
myself to get it right. Now, I'm used to trusting others' opinions
about most of my technical blind spots, but the implications of
security failures mean that I don't just have a knowledge problem, I
*also* have a trust problem. I would be absolutely thrilled if there
was a resource I could reach out to for design help, code review,
advice for handling vulnerability reports, etc. I think OWASP has the
trust to be such a group.
The model here I think would be groups like the SFLC, who provide free
legal advice to free software authors. Law is another place, like
security, that has both a blind spot problem and a trust one, and they
(and similar groups/individuals) are a critical part of the open
source ecosystem.
We've strayed way off-topic, I think, and so I'll leave this there --
but feel free to contact me off-list if you want to discuss further.
Jacob