Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine
 
PerlMonks  

Guide to Building Secure Web Applications and Web Services

by cjf (Parson)
on Jun 27, 2002 at 03:37 UTC ( [id://177624]=perlmeditation: print w/replies, xml ) Need Help??

I just noticed a post on bugtraq that states the Open Web Application Security Project (OWASP) has released a paper on building secure web applications and web services. From the post:

We are pleased to announce that the first release of the Open Web Application Security Project “Guide to Building Secure Web Applications” is now online in both pdf (1.67Mb) and HTML.
...
The Guide covers various web application security topics from architecture to preventing attack specifics like cross site scripting, cookie poisoning and SQL injection.

At over 80 pages the guide is definately not a short read, but does look to be very comprehensive and of far higher quality than your average security paper. It's released under the GNU documentation license and is available via the OWASP website.

OWASP also has several other projects underway including an 'open source web application scanner called WebScarab (due end of the year), a set of generic API’s called Filters to allow developers to easily protect their applications from malicious input / output such as XSS (due in next 3 months) and a formal testing methodology.'

Replies are listed 'Best First'.
Re: Guide to Building Secure Web Applications and Web Services
by hakkr (Chaplain) on Jun 27, 2002 at 10:19 UTC
    Thanks cjf, This is the bomb and will now form the basis of my new security policy. I will be fully OWASP compliant. They should offer an auditing/certification scheme to make some cash. It is possibly missing stuff on LDAP but from their future developments I look forward to the next release. The name seems slightly misleading as this stuff does not just apply to open source programming.
      This is the bomb and will now form the basis of my new security policy

      If you're writing security policies you may also find The SANS Security Policy Project helpful. They currently have 25 example policies on everything from acceptable encryption use to wireless communication.

      It is possibly missing stuff on LDAP but from their future developments I look forward to the next release.

      There's some information here about what they're planning for future releases. I'm sure they're also open to suggestions for new sections and/or expanded coverage of current sections. If anyone's interested they don't currently have Perl listed under the upcoming language security parts either.

      The name seems slightly misleading as this stuff does not just apply to open source programming.

      I believe the 'Open' in OWASP refers to the fact they're releasing both the guide and their software under open source licenses. All the suggestions in the paper certainly apply to commercial application development as well.

      As for funding, they have a sponsorship request on the site as well.

        I am somewhat interested in helping them out with adding Perl to their supported languages. I am pretty busy though, is anyone else interested in a joint or group effort? I figure we could take a lot of information from here and from perldoc persec and the like. If anyone is interested, contact me at the email address listed in my perlmonks sratch pad. To see what languages they are going to do writeups on, see the Future Content section at this page

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlmeditation [id://177624]
Approved by FoxtrotUniform
Front-paged by grep
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others musing on the Monastery: (2)
As of 2024-03-19 06:57 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found