Your thoughts on the Secure Web Application Framework Manifesto

61 views
Skip to first unread message

Rohit Sethi

unread,
Feb 21, 2011, 10:21:59 AM2/21/11
to Django developers
Django devs, I wanted to thank you for a truly awesome framework.
Programming with Python, and web app dev in Django, is truly a
pleasure. Our company, Security Compass, uses Django quite
substantially internally.

We put together a document called the Secure Web Application Framework
Manifesto for the Open Web Application Security Project (OWASP) - see:
http://www.owasp.org/index.php/Projects/OWASP_Secure_Web_Application_Framework_Manifesto/Releases/Current/Manifesto

I would love to get your feedback about this project. How much of this
is realistic and how much of it is pie in the sky? Is it relevant for
you? If not, how does this document need to change to become relevant?
Clearly, Django takes security seriously which is a major reason we
use it. Please feel free to be candid - if you think the document
sucks and could never be used, it's important you let us know that
too.

Thanks in advance,

Rohit Sethi
@rksethi

Rohit Sethi

unread,
Feb 21, 2011, 3:45:26 PM2/21/11
to Django developers
One more point - if any of you have questions for somebody who leaves
and breathes web application security every day, please feel free to
fire them off to me:

rohit at securitycompass.com

On Feb 21, 10:21 am, Rohit Sethi <rkli...@gmail.com> wrote:
> Django devs, I wanted to thank you for a truly awesome framework.
> Programming with Python, and web app dev in Django, is truly a
> pleasure. Our company, Security Compass, uses Django quite
> substantially internally.
>
> We put together a document called the Secure Web Application Framework
> Manifesto for the Open Web Application Security Project (OWASP) - see:http://www.owasp.org/index.php/Projects/OWASP_Secure_Web_Application_...

Russell Keith-Magee

unread,
Feb 21, 2011, 7:42:21 PM2/21/11
to django-d...@googlegroups.com

Hi Rohit,

A lot of effort has clearly gone into this document. I haven't gone
through it with a fine-toothed comb, but it seems like a reasonably
thorough discussion of security issues affecting web frameworks.

However, if you're looking for frank feedback, here goes:

Who exactly is the intended audience for this document? What is/are
the action item(s) stemming from it?

More broadly, what it is you are hoping to achieve by writing this document?

Reading between the lines, I'm guessing you would like to see every
web framework in the world adhering to best practices, with no obvious
and know security vulnerabilities. This is a laudable goal, and I
certainly share this aspiration.

But there are two ways to achieve this goal. The first is to sit in a
tower, passing down Solomonic judgements on "the way it should be".
The second is to actually get involved and help make the change you
want to see in the world.

Writing manifestos may give you a sense of personal satisfaction at
the volume of material you have generated, but it doesn't actually
change the world at all. It merely provides the reference material
that others may be able to use to inform the changes that they are
making. This is a useful resource, but it isn't *in itself* a catalyst
for change.

I'm not suggesting that you should spend all your time being a Django
developer (although I certainly wouldn't turn away the extra help). My
point is that in volunteer open source communities, the only way to
actually bring about change is to actively engage a developer
community. Become a known, trusted voice -- in this case, on security
issues.

For example, the Django-dev list has just recently gone through a
series of discussions about our default password hashing policies.
Some of these discussions have hinged on interpretations of what
constitutes best practice in these areas. This would be a golden
opportunity for someone with relevant experience and knowledge to
speak up, offer advice gleaned from experience with other frameworks,
and generally establish topic expertise.

There are other examples of people doing this very effectively. Graham
Dumpleton is the developer of mod_wsgi. He's isn't a member of the
Django core team, but he is *very* well known to the Django community
because he is actively involved in our mailing lists, issue tracker,
and so on. If a WSGI/Apache configuration related issue arises, Graham
is usually there giving advice. And he doesn't just do this for Django
-- he lurks in a similar way on other Python frameworks. He is
actively involved across the Python web framework community, pushing
an agenda that he is passionate about -- the WSGI interface to Apache.

OWASP already maintains a list of vulnerabilities, threat and attacks.
These are very well documented and explained analyses of individual
potential problems, and as a whole, serves as a magnificent reference
resource.

Compiling this list (or a subset of that list) into a monolithic
"manifesto" doesn't improve the quality or prescience of the
information. A manifesto is a lovely document that I might read once,
perhaps bookmark or tweet, and then move on. That doesn't actually
help bring about any change.

What *would* help bring about change is having someone with expertise
actually getting involved -- participating in discussions, starting
new discussions, raising tickets, auditing code when new problems are
identified, and so on.

tl;dr -- You won't get any argument out of me that the goals of OWASP
are important. There are things that are on OWASP's lists that Django
could do better. Sometimes this is out of ignorance, sometimes it's a
matter of history, and sometimes there are other concerns. But writing
long documents describing what other people should do doesn't help
change anything -- we need people to actually get involved and engage
us in a specific discussions about what we could be doing better.

Yours,
Russ Magee %-)

Rohit Sethi

unread,
Feb 21, 2011, 8:09:52 PM2/21/11
to Django developers
Russell, awesome feedback. Thanks for being candid. We are on the same
page that the manifesto is really not all that important in and of
itself: The document piece is really only designed to give frameworks
a platform to say "hey, these are what we support" so that web app
developers building security-sensitive apps get an idea of how much
help they'll get from various framework.

I didn't want to bring this up until I got at least one response, but
my team is busy seeing which manifesto requirements are:

a) Already being fulfilled by Django (great- no more work to be done!)
b) Have been fulfilled elsewhere (e.g. OWASP ESAPI for Python) and
could be built into Django
c) Have not yet been done

We'll be looking to address b) and c) by either porting or building
ourselves. We hope we can get your feedback on why some things aren't
being implemented (if we can't find a pre-existing discussion in
existing tickets and/or this group).

The manifesto is designed to only a starting point: it's taking
several vulnerabilities, beyond the OWASP top 10, into something
targeted specifically for frameworks. It's definitely not intended to
be implemented by every framework in the world - nor should it be.

So, we (myself and at least four of our developers) will be working
closely with the Django community. I will be watching the list closely
and providing feedback when I can.

Looking forward to working with you

Cheers,

Rohit

On Feb 21, 7:42 pm, Russell Keith-Magee <russ...@keith-magee.com>
wrote:
> On Mon, Feb 21, 2011 at 11:21 PM, Rohit Sethi <rkli...@gmail.com> wrote:
> > Django devs, I wanted to thank you for a truly awesome framework.
> > Programming with Python, and web app dev in Django, is truly a
> > pleasure. Our company, Security Compass, uses Django quite
> > substantially internally.
>
> > We put together a document called the Secure Web Application Framework
> > Manifesto for the Open Web Application Security Project (OWASP) - see:
> >http://www.owasp.org/index.php/Projects/OWASP_Secure_Web_Application_...

Gabriel Hurley

unread,
Feb 21, 2011, 11:31:31 PM2/21/11
to Django developers
I've got one bit of feedback to offer on the document (which I did
bookmark for future reference):

Monolithic documents present a huge problem for finding, using and
retaining information.

A very useful and interesting extension of this type of project would
be to work with people who have experience with information
architecture and data visualization to find new ways of presenting
this information. An interface that was simple, clear, interactive,
layered and multi-faceted would make your manifesto into a drastically
more valuable tool.

I would love to be able to sit down with an interface to all the
information you've gathered and "explore it". Ideally it would allow
me to visually follow threads of commonalities in vulnerabilities, see
clusters of the most common problem areas, and zoom in to the level of
detail you've gathered on any individual item if I so choose.

Either way, thank you for providing an interesting resource.

All the best,

- Gabriel Hurley

Rohit Sethi

unread,
Feb 22, 2011, 6:46:40 AM2/22/11
to Django developers
Gabriel, great idea! This is a problem with OWASP in general, but
definitely we can do better on this doc. I think we'll first focus on
putting our words in action with help in contributing some of the
features into Django first, and then revisit the doc. Mainly I'd like
to assess what pieces of it are way too complex to implement as part
of a core framework, and which ones are viable. Once we revise the
list we'll look at ways to better present the data rather than a huge
single doc.

Thanks!

Rohit

Jacob Kaplan-Moss

unread,
Feb 24, 2011, 6:55:48 AM2/24/11
to django-d...@googlegroups.com
Hi Rohit --

I had a skim of the document, too, and my feelings are pretty close to
Russ's, so I won't bother with any specific feedback -- he basically
speaks for me, too.

To build off Russ, though, I have a bit of a meta meta-suggestion
about OWASP in general. One huge problem I have as a software
developer is that security is a bit of blind spot: I know a bit I've
picked up here and there, but I really only know enough to not trust
myself to get it right. Now, I'm used to trusting others' opinions
about most of my technical blind spots, but the implications of
security failures mean that I don't just have a knowledge problem, I
*also* have a trust problem. I would be absolutely thrilled if there
was a resource I could reach out to for design help, code review,
advice for handling vulnerability reports, etc. I think OWASP has the
trust to be such a group.

The model here I think would be groups like the SFLC, who provide free
legal advice to free software authors. Law is another place, like
security, that has both a blind spot problem and a trust one, and they
(and similar groups/individuals) are a critical part of the open
source ecosystem.

We've strayed way off-topic, I think, and so I'll leave this there --
but feel free to contact me off-list if you want to discuss further.

Jacob

Rohit Sethi

unread,
Feb 28, 2011, 2:55:21 PM2/28/11
to Django developers
Hi Jacob, just as an FYI I messaged you last week about this off list
- my email was from my first name @securitycompass.com. Just wanted to
make sure you got it

Thanks,

Rohit
Reply all
Reply to author
Forward
0 new messages