This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Summit 2011/OWASP Secure Coding Workshop"

From OWASP
Jump to: navigation, search
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
[http://www.owasp.org/index.php/Summit_2011 ''' Global Summit 2011 Home Page''']<br>
+
#REDIRECT [[Summit_2011_Working_Sessions/Session025]]
[http://www.owasp.org/index.php/Summit_2011_Schedule ''' Global Summit 2011 Schedule''']<br>
 
[http://www.owasp.org/index.php/Summit_2011_Working_Sessions ''' Global Summit 2011 Working Sessions''']
 
 
 
{| border="0" align="center" style="width: 100%;"
 
|-
 
! align="center" colspan="7" style="background: none repeat scroll 0% 0% rgb(179, 179, 179); color: white;" | <font color="black">'''Working Sessions Operational Rules''' - [[:Working Sessions Methodology|'''Please see here the general frame of rules''']].</font>
 
|}
 
 
 
{| border="0" align="center" style="width: 100%;"
 
|-
 
! align="center" colspan="7" style="background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | <font color="white">'''WORKING SESSION IDENTIFICATION'''</font>
 
|-
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | '''Work Session Name'''
 
| align="left" colspan="6" style="width: 85%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <font color="black"><span style="font-weight: bold;">OWASP Secure Coding Workshop - NOBULLSEC</span></font>
 
|-
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | '''Short Work Session Description'''
 
| align="left" colspan="6" style="width: 85%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" |  This will be a "NO FLUFF" track where we pull out ourlaptops (not for email/IM), and show people how to develop securecode. Chris Schmidt referred to this here: http://yet-another-dev.blogspot.com/2010/11/cross-pollination-its-not-just-for-bees.html  The Global Summit in Portugal will be a prototype for this new type of "track" and hopefully we can continue it in Minnesota for AppSec USA 2011. Pravir led something like this with SAMM (but regarding process) in Portugal the first time around and it was incredibly valuable.
 
<br>
 
I'd like to propose the following skeleton and get passionate developers to sign up for it. I'm imagining 1/2 day sessions. (So, over four days, we could have eight (8) facilitators). I suggest we pick a single target (Java EE?), a single victim app, and a single container as a 'base of operations' for the first one to keep things simple.
 
<br>
 
|-
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | '''Related Projects (if any)'''
 
| align="left" colspan="6" style="width: 85%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" |
 
|-
 
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | '''Email Contacts &amp; Roles'''
 
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | '''Chair'''<br>[mailto:[email protected] '''John Steven''']
 
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | '''Secretary'''<br>
 
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | '''Mailing list'''<br>[http://www.owasp.org/index.php/Summit_2011#tab=How_Do_I_Join.3F_.2F_Mailing_list '''Subscription Page''']
 
|}
 
 
 
{| border="0" align="center" style="width: 100%;"
 
|-
 
! align="center" colspan="7" style="background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | <font color="white">'''WORKING SESSION SPECIFICS'''</font>
 
|-
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | '''Objectives'''
 
| align="left" colspan="6" style="width: 85%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | Track Mission: Building Security In: Using OWASP tools/techniques/code to build secure applications. (The list below is not in any particular order. In fact, that may be something to talk about. I've tried to provide four (4) one-hour seeds for each session, subject again to discussion)<br>
 
|-
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | '''Rules of Engagement'''
 
| align="left" colspan="6" style="width: 85%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" |
 
*Facilitator role replaces "speaker". They lead the session, but the session is a working session, laptops open, whiteboards filling. This is not a lecture. <br>
 
*Other facilitators adopt the present facilitator's goal as their own and we drive the concept/design/code forward Dissenting views are for drinks later. <br>
 
*Sessions are open to all participants provided they have at least the ability to read the chosen language, and have the following things installed when they arrive:<br>
 
**Our victim app<br>
 
**All session dependencies<br>
 
**Dev tools sufficient to build and run the app and our dependencies<br>
 
*Facilitators must agree to attend six (6) out of eight (8) sessions. Failing that, they're booted from the next venue<br>
 
*The objective of each session is split between educating participants and bringing the state of the practice forward.<br>
 
*Participants may bring whatever code they like, provided they contribute it to OWASP.<br>
 
*Facilitators should seek to absorb any new developments into the next conference session. IE: each session should have some new and unique content <br>
 
*Facilitators don't 'own' topics, in fact, I'd like them to rotate between cons. if possible.
 
<br>
 
 
 
|-
 
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | '''Venue/Date&amp;Time/Model'''
 
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | '''Venue'''<br>[http://www.owasp.org/index.php/Summit_2011 OWASP Global Summit Portugal 2011]
 
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" |
 
'''Date&amp;Time'''
 
 
 
| align="center" style="width: 25%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | '''Discussion Model'''<br>
 
|}
 
 
 
{| border="0" align="center" style="width: 100%;"
 
|-
 
! align="center" colspan="7" style="background: none repeat scroll 0% 0% white; color: white;" | <font color="black"></font> <br>
 
|}
 
 
 
<br>
 
 
 
{| border="0" align="center" style="width: 100%;"
 
|-
 
! align="center" style="background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" colspan="7" | <font color="white">'''WORKING SESSION ADDITIONAL DETAILS'''</font>
 
|-
 
| align="left" style="width: 100%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" |
 
'''1. Applying ESAPI Input Validation'''
 
*Serial Decomp: Decode, canonicalize, filter<br>
 
*Structured data (SSN, CC, etc.) <br>
 
*Unstructured data (comments, blogs, etc.) <br>
 
*Other input exaples (ws-, database, etc.) <br>
 
'''2. Defining AppSensor Sensors for:'''<br>
 
*Forced Browsing <br>
 
*Request Velocity<br>
 
*Unexpected encodings<br>
 
*Impersonation (Sudden user switch) <br>
 
'''3. Managing Sessions'''<br>
 
*Across requests<br>
 
*Across containers<br>
 
*Invalidating sessions (Timeout, attack event, logout)<br>
 
*Invalidating sessions (across containers, SSO token invalidation, user termination)<br>
 
'''4. Protecting Information Stored Client-Side'''<br>
 
*Threat Modeling the problem <br>
 
*Protecting theft and re-playability of application-specific info (on client & in flight)<br>
 
*Protecting theft and re-playability of session-specific info (in flight)<br>
 
*Protecting session-specific information from attack on the client <br>
 
'''5. Protecting against CSRF - Dan Cornell, Eric Sheridan '''<br>
 
*Hygiene: Discuss/show frames-busting, cross-domain policy; Discuss referrer and other red herrings <br>
 
*Tokens (crafting, scoping, and checking)<br>
 
*Discussions, techniques on scale<br>
 
*Discussions, techniquest on CAPTCHA, re-auth, etc. <br>
 
'''6. Providing Access to Persisted Data'''<br>
 
*Controlling visibility of tables by role<br>
 
*Providing access to safe SQL-like query through DAO layer<br>
 
*Discussions, techniques for providing secure'auto-wiring' / marshaling<br>
 
*Encoding and canonicalization for storage (or alternatively: Security concerns with heirarchical caching and object pooling) <br>
 
 
 
'''7. and 8. TBD'''
 
 
 
There also will be a session to process the "Future" of a "NO FLUFF" OWASP Secure Coding Working Group -- How do we scale this idea and how can we get sponsorship for it?  We hope to schedule at least two more "No Fluff" days for 2011.
 
 
 
|}
 
 
 
<br>
 
{| border="0" align="center" style="width: 100%;"
 
|-
 
! align="center" colspan="3" style="background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" | '''WORKING SESSION OUTCOMES'''
 
|-
 
| align="center" style="width: 7%; background: none repeat scroll 0% 0% rgb(108, 130, 181);" | Statements, Initiatives or Decisions
 
| align="center" style="width: 46%; background: none repeat scroll 0% 0% rgb(179, 179, 179);" | '''Proposed by Working Group'''
 
| align="center" style="width: 47%; background: none repeat scroll 0% 0% rgb(179, 179, 179);" | '''Approved by OWASP Board'''
 
|-
 
| align="center" style="width: 7%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | <br>
 
| align="center" style="width: 46%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" |
 
| align="center" style="width: 47%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | After the Board Meeting - fill in here.
 
|-
 
| align="center" style="width: 7%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | <br>
 
| align="center" style="width: 46%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" |
 
| align="center" style="width: 47%; background: none repeat scroll 0% 0% rgb(194, 194, 194);" | After the Board Meeting - fill in here.
 
|}
 
 
 
 
 
== Working Session Participants  ==
 
 
 
(Add you name by editing this table. On your the right, just above the this frame, you have the option to edit)
 
 
 
 
 
{| border="0" align="center" style="width: 100%;"
 
|-
 
! align="center" style="background: none repeat scroll 0% 0% rgb(64, 88, 160); color: white;" colspan="7" | <font color="white">'''WORKING SESSION PARTICIPANTS'''</font>
 
|-
 
| align="center" style="width: 7%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | <br>
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | '''Name'''
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | '''Company'''
 
| align="center" style="width: 63%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | '''Notes &amp; reason for participating, issues to be discussed/addressed'''
 
|-
 
| align="center" style="width: 7%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | <br>
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
| align="center" style="width: 63%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
|-
 
| align="center" style="width: 7%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | <br>
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
| align="center" style="width: 63%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
|-
 
| align="center" style="width: 7%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | <br>
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
| align="center" style="width: 63%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
|-
 
| align="center" style="width: 7%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | <br>
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
| align="center" style="width: 63%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
|-
 
| align="center" style="width: 7%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | <br>
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
| align="center" style="width: 63%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
|-
 
| align="center" style="width: 7%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | <br>
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
| align="center" style="width: 63%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
|-
 
| align="center" style="width: 7%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | <br>
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
| align="center" style="width: 63%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
|-
 
| align="center" style="width: 7%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | <br>
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
| align="center" style="width: 63%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
|-
 
| align="center" style="width: 7%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | <br>
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
| align="center" style="width: 63%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
|-
 
| align="center" style="width: 7%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | <br>
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
| align="center" style="width: 63%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
|-
 
| align="center" style="width: 7%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | <br>
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
| align="center" style="width: 63%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
|-
 
| align="center" style="width: 7%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | <br>
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
| align="center" style="width: 63%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
|-
 
| align="center" style="width: 7%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | <br>
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
| align="center" style="width: 63%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
|-
 
| align="center" style="width: 7%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | <br>
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
| align="center" style="width: 63%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
|-
 
| align="center" style="width: 7%; background: none repeat scroll 0% 0% rgb(123, 138, 189);" | <br>
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
| align="center" style="width: 15%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
| align="center" style="width: 63%; background: none repeat scroll 0% 0% rgb(204, 204, 204);" | <br>
 
|}
 
 
 
If needed add here more lines.
 
|}
 
<br>
 
 
 
[[Category:OWASP_Working_Session]]
 
[[Category:Summit_2011]]
 

Latest revision as of 12:04, 19 December 2010

Redirect to:

Retrieved from "https://wiki.owasp.org/index.php?title=Summit_2011/OWASP_Secure_Coding_Workshop&oldid=97094"