Re: Towards framework security

[Rohit Sethi <rklists () gmail com>]

Hi Benjamin,

I appreciate the suggestion. I think the challenge is that it's hard to find
a one size fits-all solution. Moreover, the requirements as they currently
stand don't reflect the reality of implementation challenges for frameworks.
The whitepaper will forever live as an artifact on
http://labs.securitycompass.com/papers/secure-web-application-framework-manifesto-v0-08.pdf-
it might be useful as reference material and to give an idea of a
starting
point on things you can do to integrate with frameworks.



On Mon, Mar 14, 2011 at 3:36 PM, Benjamin Tomhave <
tomhave () secureconsulting net> wrote:

> That's interesting - thanks for the update Rohit. I'm curious about one
> thing, though (and, first, allow me to don my flak jacket). I think
> integrating with a project like Django to simply *ahem* "build security
> in" is a great approach, but I hate to see the white paper lost. Why not
> also look at joining efforts with something like the Rugged Manifesto
> movement? fwiw.
>
> On 3/11/11 1:14 PM, Rohit Sethi wrote:
> > Last year we released a project called the Secure Web Application
> > Framework Manifesto on OWASP. I'd like to announce that we're closing
> > it, in favor of simply working with Django itself. I'm hoping others
> > will adopt the same mentality for other popular open source frameworks
> > and libraries.
> >
> > Details here:
> http://labs.securitycompass.com/index.php/2011/03/11/closing-the-secure-web-application-framework-manifesto-project/
> > Cheers,
> >
> > --
> > Rohit Sethi
> > Security Compass
> > http://www.securitycompass.com
> > twitter: rksethi
> >
> >
> >
> > _______________________________________________
> > Secure Coding mailing list (SC-L) SC-L () securecoding org
> > List information, subscriptions, etc -
> http://krvw.com/mailman/listinfo/sc-l
> > List charter available at - http://www.securecoding.org/list/charter.php
> > SC-L is hosted and moderated by KRvW Associates, LLC (
> http://www.KRvW.com)
> > as a free, non-commercial service to the software security community.
> > Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
> > _______________________________________________
> --
> Benjamin Tomhave, MS, CISSP
> tomhave () secureconsulting net
> Blog: http://www.secureconsulting.net/
> Twitter: http://twitter.com/falconsview
> LI: http://www.linkedin.com/in/btomhave
>
> [ Random Quote: ]
> "Perhaps in time the so-called Dark Ages will be thought of as including
> our own."
> Georg Christoph Lichtenberg
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L () securecoding org
> List information, subscriptions, etc -
> http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
> _______________________________________________



-- 
Rohit Sethi
Security Compass
http://www.securitycompass.com
twitter: rksethi

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________