This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Summit 2011 Working Sessions/Session028"

From OWASP
Jump to: navigation, search
 
(14 intermediate revisions by 9 users not shown)
Line 4: Line 4:
 
| summit_session_attendee_name1 = Elke Roth-Mandutz
 
| summit_session_attendee_name1 = Elke Roth-Mandutz
 
| summit_session_attendee_email1 = [email protected]
 
| summit_session_attendee_email1 = [email protected]
 +
| summit_session_attendee_username1 =
 
| summit_session_attendee_company1= GSO-University of Applied Sciences
 
| summit_session_attendee_company1= GSO-University of Applied Sciences
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed1=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed1=
  
| summit_session_attendee_name2 = Colin Watson
+
| summit_session_attendee_name2 = Jim Manico
| summit_session_attendee_email2 =  
+
| summit_session_attendee_email2 = [email protected]
| summit_session_attendee_company2=
+
| summit_session_attendee_username2 =  
 +
| summit_session_attendee_company2=Infrared Security
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed2=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed2=
  
 
| summit_session_attendee_name3 = Chris Schmidt
 
| summit_session_attendee_name3 = Chris Schmidt
 
| summit_session_attendee_email3 = [email protected]
 
| summit_session_attendee_email3 = [email protected]
 +
| summit_session_attendee_username3 =
 
| summit_session_attendee_company3=Aspect Security
 
| summit_session_attendee_company3=Aspect Security
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed3=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed3=
Line 19: Line 22:
 
| summit_session_attendee_name4 = Justin Clarke
 
| summit_session_attendee_name4 = Justin Clarke
 
| summit_session_attendee_email4 = [email protected]
 
| summit_session_attendee_email4 = [email protected]
 +
| summit_session_attendee_username4 =
 
| summit_session_attendee_company4=Gotham Digital Science
 
| summit_session_attendee_company4=Gotham Digital Science
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed4=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed4=
  
| summit_session_attendee_name5 =  
+
| summit_session_attendee_name5 = Neil Matatall
| summit_session_attendee_email5 =  
+
| summit_session_attendee_email5 = [email protected]
 +
| summit_session_attendee_username5 = nmatatal
 
| summit_session_attendee_company5=
 
| summit_session_attendee_company5=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed5=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed5=
  
| summit_session_attendee_name6 =  
+
| summit_session_attendee_name6 = Tony UcedaVelez
| summit_session_attendee_email6 =  
+
| summit_session_attendee_email6 = [email protected]
| summit_session_attendee_company6=
+
| summit_session_attendee_username6 = Tony UcedaVelez
 +
| summit_session_attendee_company6= VerSprite
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed6=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed6=
  
| summit_session_attendee_name7 =  
+
| summit_session_attendee_name7 = Fred Donovan
| summit_session_attendee_email7 =  
+
| summit_session_attendee_email7 = [email protected]
| summit_session_attendee_company7=
+
| summit_session_attendee_username7 =  
 +
| summit_session_attendee_company7= Attack Logic
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed7=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed7=
  
| summit_session_attendee_name8 =  
+
| summit_session_attendee_name8 = Alexandre Miguel Aniceto
| summit_session_attendee_email8 =  
+
| summit_session_attendee_email8 = [email protected]
| summit_session_attendee_company8=
+
| summit_session_attendee_username8 = Alexandre Miguel Aniceto
 +
| summit_session_attendee_company8= Willway
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed8=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed8=
  
| summit_session_attendee_name9 =  
+
| summit_session_attendee_name9 = Antonio Fontes
| summit_session_attendee_email9 =  
+
| summit_session_attendee_email9 = [email protected]
| summit_session_attendee_company9=
+
| summit_session_attendee_username9 =  
 +
| summit_session_attendee_company9= L7 Sécurité
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed9=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed9=
  
 
| summit_session_attendee_name10 =  
 
| summit_session_attendee_name10 =  
 
| summit_session_attendee_email10 =  
 
| summit_session_attendee_email10 =  
 +
| summit_session_attendee_username10 =
 
| summit_session_attendee_company10=
 
| summit_session_attendee_company10=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed10=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed10=
Line 54: Line 64:
 
| summit_session_attendee_name11 =  
 
| summit_session_attendee_name11 =  
 
| summit_session_attendee_email11 =  
 
| summit_session_attendee_email11 =  
 +
| summit_session_attendee_username11 =
 
| summit_session_attendee_company11=
 
| summit_session_attendee_company11=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed11=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed11=
Line 59: Line 70:
 
| summit_session_attendee_name12 =  
 
| summit_session_attendee_name12 =  
 
| summit_session_attendee_email12 =  
 
| summit_session_attendee_email12 =  
 +
| summit_session_attendee_username12 =
 
| summit_session_attendee_company12=
 
| summit_session_attendee_company12=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed12=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed12=
Line 64: Line 76:
 
| summit_session_attendee_name13 =  
 
| summit_session_attendee_name13 =  
 
| summit_session_attendee_email13 =  
 
| summit_session_attendee_email13 =  
 +
| summit_session_attendee_username13 =
 
| summit_session_attendee_company13=
 
| summit_session_attendee_company13=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed13=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed13=
Line 69: Line 82:
 
| summit_session_attendee_name14 =  
 
| summit_session_attendee_name14 =  
 
| summit_session_attendee_email14 =  
 
| summit_session_attendee_email14 =  
 +
| summit_session_attendee_username14 =
 
| summit_session_attendee_company14=
 
| summit_session_attendee_company14=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed14=  
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed14=  
Line 74: Line 88:
 
| summit_session_attendee_name15 =  
 
| summit_session_attendee_name15 =  
 
| summit_session_attendee_email15 =  
 
| summit_session_attendee_email15 =  
 +
| summit_session_attendee_username15 =
 
| summit_session_attendee_company15=
 
| summit_session_attendee_company15=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed15=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed15=
Line 79: Line 94:
 
| summit_session_attendee_name16 =  
 
| summit_session_attendee_name16 =  
 
| summit_session_attendee_email16 =  
 
| summit_session_attendee_email16 =  
 +
| summit_session_attendee_username16 =
 
| summit_session_attendee_company16=
 
| summit_session_attendee_company16=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed16=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed16=
Line 84: Line 100:
 
| summit_session_attendee_name17 =  
 
| summit_session_attendee_name17 =  
 
| summit_session_attendee_email17 =  
 
| summit_session_attendee_email17 =  
 +
| summit_session_attendee_username17 =
 
| summit_session_attendee_company17=
 
| summit_session_attendee_company17=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed17=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed17=
Line 89: Line 106:
 
| summit_session_attendee_name18 =  
 
| summit_session_attendee_name18 =  
 
| summit_session_attendee_email18 =  
 
| summit_session_attendee_email18 =  
 +
| summit_session_attendee_username18 =
 
| summit_session_attendee_company18=
 
| summit_session_attendee_company18=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed18=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed18=
Line 94: Line 112:
 
| summit_session_attendee_name19 =  
 
| summit_session_attendee_name19 =  
 
| summit_session_attendee_email19 =  
 
| summit_session_attendee_email19 =  
 +
| summit_session_attendee_username19 =
 
| summit_session_attendee_company19=
 
| summit_session_attendee_company19=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed19=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed19=
Line 99: Line 118:
 
| summit_session_attendee_name20 =  
 
| summit_session_attendee_name20 =  
 
| summit_session_attendee_email20 =  
 
| summit_session_attendee_email20 =  
 +
| summit_session_attendee_username20 =
 
| summit_session_attendee_company20=
 
| summit_session_attendee_company20=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed20=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed20=
Line 116: Line 136:
 
* Key configuration data, other EIS/service information
 
* Key configuration data, other EIS/service information
  
This section will treat these topics over three contexts:
+
For the purpose of the Portugal Summit, the session will focus on development within a "classic" N-tier Java application environment.
 
+
* "Classic" 3-tier application
 
* Phones (ios, Android)
 
* RIA
 
 
 
 
|-
 
|-
  
Line 141: Line 157:
 
|-
 
|-
  
| summit_session_objective_name1=  
+
| summit_session_objective_name1= Produce an informal threat model for each development scenario
  
| summit_session_objective_name2 =  
+
| summit_session_objective_name2 = Impart clear and simple shared understanding of threats associated with each development scenario (and dispel common misunderstandings/idioms) 
  
| summit_session_objective_name3 =  
+
| summit_session_objective_name3 = Define solution that resists defined attacks
  
| summit_session_objective_name4 =  
+
| summit_session_objective_name4 = Deliver solution implementation (snippets) to https://code.google.com/p/secure-coding-workshop/
  
 
| summit_session_objective_name5 =   
 
| summit_session_objective_name5 =   
Line 165: Line 181:
 
|-
 
|-
  
| working_session_additional_details =  
+
| working_session_additional_details = Within the N-tier Java environment, the session will tackle the following development scenarios:
 +
 
 +
1) - Coat Check
 +
* Removing information from a client
 +
* Server-side storage, memento pattern
 +
* Solving scale issues
 +
2) - Purse
 +
* Storing app-important information (like a purse)
 +
* Resisting attack with augmented plain-text storage!
 +
* Supporting back, reload, etc.
 +
* Patterns & design for anti-tampering protocols
 +
3) - Nuclear Briefcase
 +
* Sensitive, opaque information
 +
* Shuttling information between 3rd parties
 +
 
 +
Future summits will address the following two contexts as well:
 +
 
 +
* Phones (ios, Android)
 +
* RIA
 +
 
 +
However, for the purpose of this coming session, we will only conduct planning and 'homework assignments' for these contexts in the next session (likely Minnesota).
 +
 
 +
The session will work each of the three above development scenarios within the n-tier environment using the following work stream:
 +
 
 +
* Define problem
 +
* Conduct Cigital-style Threat Model (TM) exercise
 +
* Co-design solution based on particular threats and attack vectors
 +
* Implement solution within provided sample application-ette
 +
* Discuss testing and verification strategies for solution.
 +
 
 +
Participants will be taken through the above work stream, an abbreviated 'build security in' process designed to focus on implementation (rather than documentation or assurance), to restructure applications to demonstrate security patterns, integrate existing security functionality, or build security controls as necessary.
  
 
|-
 
|-
  
|summit_session_deliverable_name1 = A practical guideline (cookbook?) for safely storing information in a client program, particularly browsers.  Suggest tying recommendations to a threat model.
+
|summit_session_deliverable_name1 = (see objectives) Threat Models
 
+
|summit_session_deliverable_name2 = (see objectives) Code Snippets
|summit_session_deliverable_name2 =  
 
  
|summit_session_deliverable_name3 =  
+
|summit_session_deliverable_name3 = Plan and Extra-summit work-items for exercises in Phone and RIA  contexts during next summit
  
 
|summit_session_deliverable_name4 =  
 
|summit_session_deliverable_name4 =  
Line 192: Line 237:
 
| summit_session_leader_name2 =  
 
| summit_session_leader_name2 =  
 
| summit_session_leader_email2 =  
 
| summit_session_leader_email2 =  
 +
| summit_session_leader_username2 =
  
 
| summit_session_leader_name3 =  
 
| summit_session_leader_name3 =  
 
| summit_session_leader_email3 =  
 
| summit_session_leader_email3 =  
 +
| summit_session_leader_username3 =
  
 
|-
 
|-
Line 200: Line 247:
 
| operational_leader_name1 =
 
| operational_leader_name1 =
 
| operational_leader_email1 =
 
| operational_leader_email1 =
 +
| operational_leader_username1 =
  
 
|-
 
|-

Latest revision as of 11:35, 9 February 2011

Global Summit 2011 Home Page
Global Summit 2011 Tracks

WS. secure coding.jpg Protecting Information Stored Client-Side
Please see/use the 'discussion' page for more details about this Working Session
Working Sessions Operational Rules - Please see here the general frame of rules.
WORKING SESSION IDENTIFICATION
Short Work Session Description This section will focus on providing mechanisms for protecting important or sensitive data applications and services need to store client-side. Contexts this section aims to cover include:
  • Personal or user-specific information
  • Application-specific information (tokens, secrets)
  • Key configuration data, other EIS/service information

For the purpose of the Portugal Summit, the session will focus on development within a "classic" N-tier Java application environment.

Related Projects (if any)


Email Contacts & Roles Chair
John Steven @

Operational Manager
Mailing list
Subscription Page
WORKING SESSION SPECIFICS
Objectives
  1. Produce an informal threat model for each development scenario
  2. Impart clear and simple shared understanding of threats associated with each development scenario (and dispel common misunderstandings/idioms)
  3. Define solution that resists defined attacks
  4. Deliver solution implementation (snippets) to https://code.google.com/p/secure-coding-workshop/

Venue/Date&Time/Model Venue/Room
OWASP Global Summit Portugal 2011
Date & Time


Discussion Model
participants and attendees

WORKING SESSION OPERATIONAL RESOURCES
Projector, whiteboards, markers, Internet connectivity, power

WORKING SESSION ADDITIONAL DETAILS
Within the N-tier Java environment, the session will tackle the following development scenarios:

1) - Coat Check

  • Removing information from a client
  • Server-side storage, memento pattern
  • Solving scale issues

2) - Purse

  • Storing app-important information (like a purse)
  • Resisting attack with augmented plain-text storage!
  • Supporting back, reload, etc.
  • Patterns & design for anti-tampering protocols

3) - Nuclear Briefcase

  • Sensitive, opaque information
  • Shuttling information between 3rd parties

Future summits will address the following two contexts as well:

  • Phones (ios, Android)
  • RIA

However, for the purpose of this coming session, we will only conduct planning and 'homework assignments' for these contexts in the next session (likely Minnesota).

The session will work each of the three above development scenarios within the n-tier environment using the following work stream:

  • Define problem
  • Conduct Cigital-style Threat Model (TM) exercise
  • Co-design solution based on particular threats and attack vectors
  • Implement solution within provided sample application-ette
  • Discuss testing and verification strategies for solution.

Participants will be taken through the above work stream, an abbreviated 'build security in' process designed to focus on implementation (rather than documentation or assurance), to restructure applications to demonstrate security patterns, integrate existing security functionality, or build security controls as necessary.

WORKING SESSION OUTCOMES / DELIVERABLES
Proposed by Working Group Approved by OWASP Board

(see objectives) Threat Models

After the Board Meeting - fill in here.

(see objectives) Code Snippets

After the Board Meeting - fill in here.

Plan and Extra-summit work-items for exercises in Phone and RIA contexts during next summit

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

Working Session Participants

(Add you name by clicking "edit" on the tab on the upper left side of this page)

WORKING SESSION PARTICIPANTS
Name Company Notes & reason for participating, issues to be discussed/addressed
Elke Roth-Mandutz @
GSO-University of Applied Sciences

Jim Manico @
Infrared Security

Chris Schmidt @
Aspect Security

Justin Clarke @
Gotham Digital Science

Neil Matatall @


Tony UcedaVelez @
VerSprite

Fred Donovan @
Attack Logic

Alexandre Miguel Aniceto @
Willway

Antonio Fontes @
L7 Sécurité