Summit 2011/OWASP Secure Coding Workshop

Global Summit 2011 Home Page
Global Summit 2011 Schedule
Global Summit 2011 Working Sessions

Working Sessions Operational Rules - Please see here the general frame of rules.

WORKING SESSION IDENTIFICATION
Work Session Name	No Fluff, Just Stuff
Short Work Session Description	This will be a "NO FLUFF" track where we pull out ourlaptops (not for email/IM), and show people how to develop securecode. Chris Schmidt referred to this here: http://yet-another-dev.blogspot.com/2010/11/cross-pollination-its-not-just-for-bees.html The Global Summit in Portugal will be a prototype for this new type of "track" and hopefully we can continue it in Minnesota for AppSec USA 2011. Pravir led something like this with SAMM (but regarding process) in Portugal the first time around and it was incredibly valuable. I'd like to propose the following skeleton and get passionate developers to sign up for it. I'm imagining 1/2 day sessions. (So, over four days, we could have eight (8) facilitators). I suggest we pick a single target (Java EE?), a single victim app, and a single container as a 'base of operations' for the first one to keep things simple.
Related Projects (if any)
Email Contacts & Roles	Chair John Steven	Secretary	Mailing list Subscription Page

WORKING SESSION SPECIFICS
Objectives	Track Mission: Building Security In: Using OWASP tools/techniques/code to build secure applications. (The list below is not in any particular order. In fact, that may be something to talk about. I've tried to provide four (4) one-hour seeds for each session, subject again to discussion)
Venue/Date&Time/Model	Venue OWASP Global Summit Portugal 2011	Date&Time	Discussion Model

WORKING SESSION ADDITIONAL DETAILS

1. Applying ESAPI Input Validation

Serial Decomp: Decode, canonicalize, filter
Structured data (SSN, CC, etc.)
Unstructured data (comments, blogs, etc.)
Other input exaples (ws-, database, etc.)

2. Defining AppSensor Sensors for:

Forced Browsing
Request Velocity
Unexpected encodings
Impersonation (Sudden user switch)

3. Managing Sessions

Across requests
Across containers
Invalidating sessions (Timeout, attack event, logout)
Invalidating sessions (across containers, SSO token invalidation, user termination)

4. Protecting Information Stored Client-Side

Threat Modeling the problem
Protecting theft and re-playability of application-specific info (on client & in flight)
Protecting theft and re-playability of session-specific info (in flight)
Protecting session-specific information from attack on the client

5. Protecting against CSRF

Hygiene: Discuss/show frames-busting, cross-domain policy; Discuss referrer and other red herrings
Tokens (crafting, scoping, and checking)
Discussions, techniques on scale
Discussions, techniquest on CAPTCHA, re-auth, etc.

6. Providing Access to Persisted Data

Controlling visibility of tables by role
Providing access to safe SQL-like query through DAO layer
Discussions, techniques for providing secure'auto-wiring' / marshaling
Encoding and canonicalization for storage (or alternatively: Security concerns with heirarchical caching and object pooling)

7. and 8. TBD

There also will be a session to process the "Future" of "No Fluff, Just Stuff" -- How do we scale this idea and how can we get sponsorship for it? We hope to schedule at least two more "No Fluff, Just Stuff" days for 2011.

WORKING SESSION OUTCOMES
Statements, Initiatives or Decisions	Proposed by Working Group	Approved by OWASP Board
		After the Board Meeting - fill in here.
		After the Board Meeting - fill in here.

Working Session Participants

(Add you name by editing this table. On your the right, just above the this frame, you have the option to edit)


Name	Company	Notes & reason for participating, issues to be discussed/addressed

If needed add here more lines. |}

Summit 2011/OWASP Secure Coding Workshop

Working Session Participants

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools