Difference between revisions of "Summit 2011/OWASP Secure Coding Workshop"

I'd like to propose the following skeleton and get passionate developers to sign up for it. I'm imagining 1/2 day sessions. (So, over four days, we could have eight (8) facilitators). I suggest we pick a single target (Java EE?), a single victim app, and a single container as a 'base of operations' for the first one to keep things simple.

• Facilitator role replaces "speaker". They lead the session, but the session is a working session, laptops open, whiteboards filling. This is not a lecture.
  
• Other facilitators adopt the present facilitator's goal as their own and we drive the concept/design/code forward Dissenting views are for drinks later.
  
• Sessions are open to all participants provided they have at least the ability to read the chosen language, and have the following things installed when they arrive:
  
  • Our victim app
    
  • All session dependencies
    
  • Dev tools sufficient to build and run the app and our dependencies
    
• Facilitators must agree to attend six (6) out of eight (8) sessions. Failing that, they're booted from the next venue
  
• The objective of each session is split between educating participants and bringing the state of the practice forward.
  
• Participants may bring whatever code they like, provided they contribute it to OWASP.
  
• Facilitators should seek to absorb any new developments into the next conference session. IE: each session should have some new and unique content
  
• Facilitators don't 'own' topics, in fact, I'd like them to rotate between cons. if possible.

Date&Time

1. Applying ESAPI Input Validation

• Serial Decomp: Decode, canonicalize, filter
  
• Structured data (SSN, CC, etc.)
  
• Unstructured data (comments, blogs, etc.)
  
• Other input exaples (ws-, database, etc.)
  

2. Defining AppSensor Sensors for:

• Forced Browsing
  
• Request Velocity
  
• Unexpected encodings
  
• Impersonation (Sudden user switch)
  

3. Managing Sessions

• Across requests
  
• Across containers
  
• Invalidating sessions (Timeout, attack event, logout)
  
• Invalidating sessions (across containers, SSO token invalidation, user termination)
  

4. Protecting Information Stored Client-Side

• Threat Modeling the problem
  
• Protecting theft and re-playability of application-specific info (on client & in flight)
  
• Protecting theft and re-playability of session-specific info (in flight)
  
• Protecting session-specific information from attack on the client
  

5. Protecting against CSRF - Dan Cornell, Eric Sheridan

• Hygiene: Discuss/show frames-busting, cross-domain policy; Discuss referrer and other red herrings
  
• Tokens (crafting, scoping, and checking)
  
• Discussions, techniques on scale
  
• Discussions, techniquest on CAPTCHA, re-auth, etc.
  

6. Providing Access to Persisted Data

• Controlling visibility of tables by role
  
• Providing access to safe SQL-like query through DAO layer
  
• Discussions, techniques for providing secure'auto-wiring' / marshaling
  
• Encoding and canonicalization for storage (or alternatively: Security concerns with heirarchical caching and object pooling)
  

7. and 8. TBD

There also will be a session to process the "Future" of a "NO FLUFF" OWASP Secure Coding Working Group -- How do we scale this idea and how can we get sponsorship for it? We hope to schedule at least two more "No Fluff" days for 2011.