Re: FW: Dev Outreach: Where do we go from here?

[Rohit Sethi]

Hi all,

Sorry for the slow reply on this.  We're still trying to figure out the best way to meet the need that Jacob Kaplan-Moss from Django articulated. I just sent him a message summarizing our current thinking - I'll report back to this group when I hear back from him.

In the interim we've started some work on adding additional security measures to Django's contrib.auth authentication framework as a third party plugin as well as other security enhancements. We hope to deploy this within the next month or so as part of a separate Django Security project. If the code proves popular, we can use that as reason to try and push some of the features into out-of-the-box Django.

I now fundamentally believe the best way to improve the security of open source frameworks / libraries is to just contribute to them. I was thinking that trying to start a campaign of asking individuals to submit one security patch / feature to the framework of their choice might be a good way to foster real change and build up momentum. I tried to propose something similar on the Java project but didn't really get anywhere: https://lists.owasp.org/pipermail/java-project/2011-March/000332.html

What do you think? Is this doable, or are we asking for too much of a time commitment?

-----Original Message-----
From: Jim Manico [mailto:jim.m...@owasp.org]
Sent: Saturday, April 02, 2011 2:49 PM
To: owasp-dev-out...@googlegroups.com
Cc: owasp-dev-out...@googlegroups.com; Sethi, Rohit
Subject: Re: Dev Outreach: Where do we go from here?

Thanks Jim.

Rohit is a big part of this: He is working with the Django Framework and is starting to form a cross-organization "think tank" so FOSS Framework teams can approach an expert committee in private to discuss AppSec issues. Several banks have asked for the same kind of private, objective, non-commercial resource.

OWASP's mission of "Open" makes it a challenge to make this an official OWASP project which is why I think a "cross-organization committee" is key.

-Jim Manico
http://manico.net

On Mar 31, 2011, at 12:00 PM, JIM BIRD <jim...@shaw.ca> wrote:

> I suggest pick one problem where the OWASP community can help and make a real difference, and focus on doing something about it. The number one problem that developers (including me) identified is the lack of secure development frameworks. It makes sense to me to start with what people have said is most important.
>
> Jim Manico has some ideas on how OWASP can help with this, and knows about people who are working on making frameworks more secure. As Jim explained at the SANS Appsec conference this year, it's not necessary to secure every framework to make a difference. There are a small number of common frameworks; making them more safe to use will make a big difference - and hopefully create a snowball effect, as more people get involved and start understanding the problems and trying to solve them.
>
> Rohit Sethi and his team are working on helping to helping to secure Django and he has some good ideas on what can be done on secure frameworks.
> http://labs.securitycompass.com/index.php/2011/03/11/closing-the-secure-web-application-framework-manifesto-project/
>
> I am sure there are other people doing good work like this.
>
> My suggestion is to start by setting up something in the Builders section to track and publicize who is doing what to help make which frameworks secure by default - or at least safer to use.Create some buzz, see who is interested and who is already involved, and build some momentum. And show how OWASP is helping the community, attract more developers to the cause.
>
> I am sure other people will have more concrete ideas of what to do next.
>
> Jim Bird
>
> ----- Original Message -----
> From: John Wilander <john.w...@owasp.org>
> Date: Sunday, March 27, 2011 4:39 pm
> Subject: Dev Outreach: Where do we go from here?
> To: OWASP Dev Outreach Discuss <owasp-dev-out...@googlegroups.com>
>
> > Hi Dev Outreach Discuss!
> >
> > As said on the steering list we now have an official home for the
> > OWASP Builders:
> > http://www.owasp.org/index.php/Builders
> >
> > ... with a tab that summarizes the results of the initial developer
> > outreach:
> > http://www.owasp.org/index.php/Builders#tab=Developer_Outreach
> >
> > The questions are many:
> > * What conclusions can we draw?
> > * How can OWASP engage in the right things ahead?
> > * How do we set up a more ambitious outreach using a proper survey
> > etc?
> >
> >    Regards, John
> >

--
Rohit Sethi
Security Compass
http://www.securitycompass.com
twitter: rksethi

[Rohit Sethi]

Anyone?

[John Wilander]

So, how about a tab each for the active engagements we have in frameworks today. On each tab we get to enter names, contact info, and how we're working with them.

The best idea from the initial outreach was in my opinion the frameworks vs security features matrix. Imagine ...

_____________ Django | Struts 2 | Spring MVC | .NET MVC | Drupal
Injection
XSS
Sessions
Auth
Dir traversal
CSRF

... and then links in the cells. That would be awesome, don't you think?

   Regards, John

2011/4/7 Rohit Sethi <rkl...@gmail.com>

--
John Wilander, https://twitter.com/johnwilander
Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com

Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee

[Jim Manico]

Most important: Use THEIR bug tracking system and work 100% within the developers world. And please try not to make fun of devs who may write insecure code. ;)

-Jim Manico

http://manico.net

[Rohit Sethi]

I think this is a good approach, however I'm not clear what links
would be in the cells?

Also, I think one mistake from the manifesto project was to restrict
to "frameworks" when really there are many open source libraries that
have a major impact on web application security besides standard MVC
frameworks. For scoping reasons it may make sense to start with MVC
but we shouldn't stop there.

> http://www.owasp.org/index.php/Global_Conferences_Committee<http://owaspsweden.blogspot.com>
>

--
Sent from my mobile device