Thursday, May 29, 2008


  • OWASP.NET story and Who the heck am I?

Where we've been
  • Timely and targeted content and tools
    • .Net and Partial vs. Full trust
    • Rooting The CLR
    • .Net Assembly Analyzer
    • Owasp Report Generator
    • Owasp Site Generator
  • Great work with content and promotion by Dinis and Mike D, very tactical but maybe unreachable by a non-security developer

OWASP .NET SOC 2008 Goals
  • Balance highly technical content, tools with content to help developers get on board quickly.
  • Provide role based content (e.g. Architects, Developers, Ops, Pen Testers)
  • Get the word out. Remind everyone about us.
  • Participate in our consituent communities in OWASP, .NET and Security.
  • Alt.NET. There is great interest in alternative ideas, methodologies and tools. OWASP .NET can leverage this momentum and attract volunteers from this community.

OWASP .NET Long Term Goals

OWASP .NET In Action
  • Mobilize OWASP .NET resources. Project volunteers can consult technology teams and provide great resources.
OWASP .NET Vulnerability Reviews
  • Initiate projects to review community .NET web projects. How do you secure Flexwiki or Community Server? Has anyone pen tested these apps.
OWASP .NET Code Projects
  • Next generation of OWASP projects, like Report Generator and Site Generator.
  • Guidance and Framework that integrates with ESAPI.NET and other providers (E.g. OpenID). Put it in place, and login controls, access control, auditing/logging/instrumentation visualizers are available.
  • Security testing code projects. NUnit and mock objects are useful tools, maybe a security toolset that includes fuzzing objects, common vulnerabilities, injection, FXCop, Owasp objects. SDD - Security Driven Development.

Call to Action

Join the mailing list

Go to the following page and fill out the section that says is titled "Subscribing to Owasp-dotnet".

Join a project

Submit ideas for research

Funded Summer of Code projects

For example, see SoC 2008:

Feel free to contact me with any questions

Friday, May 23, 2008

Chronicling my trip to the Ghent, Belgium to talk about OWASP .NET Project plans, the next couple of blog posts will cover my recollections and impressions. First off, my presentation was fast and furious and while I was a little awkward, trying to get the feel for my audience and the environment, I think I managed to communicate our goals and plans. I had a few people express interest in different things we are doing and I consider that a win, as most of the developers at the conference were Java security pro's. I had to pimp my java skills to get the audience on my side, and not come across as a Microsoft only professional. So, it went well, I have a few references and will be posting more about Anti-Samy for .NET, Open research on community projects and an action plan. Look forward to these posts in the next few days.

Saturday, May 17, 2008

Project Reorganization

  • Added WCF Security Best Practices
  • Finished my bullet points or "elevator speech" for the OWASP .NET Project
  • Finished my OWASP .NET Project slides for OWASP Europe Keynote
  • Finished OWASP .NET Project presentation
  • Added / Updated OWASP .NET Content

Media Outreach
  • OWASP .NET Project mentioned at ASPNetPro, in Open Source Security
  • I've had a few people contact me or Paulo Coimbra who are interested in contributing to the project.
  • I'm selectively e-mailing people about the project, letting them know that it's around and what we're up to.

This week's plan
  • I'll be in Ghent, Belgium for the OWASP European Conference. I'm on stage for the OWASP Tour keynote presented by Dinis Cruz (I have a couple of slides).
  • I'll write some stuff for the .NET Security for Penetration Testing pages.
  • I will reach out to the people at the following print magazines, Homeland Defense, ISSA, MSDN Magazine and Code magazine. Maybe they're interested in the project or an article.

I'm looking for anyone who is interested in writing articles or content, or code and tools for the OWASP .NET Project. I've put out a few announcements about the project. The most recent can be found at ASP.NET (Microsoft's ASP.NET site) @ :

Hi all,

We're starting up the OWASP (Open Web Application Security Project) .NET Project Reorganization and I'm looking for your feedback. OWASP is a worldwide free and open community focused on improving the security of application software. The purpose of the OWASP .NET Project is to provide a central repository of information and tools for software professionals that use the Microsoft .NET Framework for web applications and services. The project will try to include resources from Microsoft and from the Open Source community, the Alt.NET community and other related security resources. We're looking for feedback from the ASP.NET community here for projects, tools and articles to help developers secure their code and sites as we redirect our efforts.

In addition to feedback, if you have time and you're looking to work on projects for .NET security, if you want to write articles, create tools or other projects to help out fellow developers, please join us.

For more information, feel free to e-mail me @ or visit our site in progress: OWASP .NET Project Reorganization (Alpha).

Mark Roxberry
OWASP .NET Project Leader

Friday, May 16, 2008

I added WCF Security Best Practices to the OWASP .NET Site. The content is just a summary of what lives at Codeplex, but OWASP .NET should have references like this attributed to the author(s). I put the checklist up at OWASP; the reader can go to Codeplex the site for more information.

Thursday, May 15, 2008

The Summer of Code is in full swing and we're looking for reviewers for projects. I am also looking for contributors for the OWASP .NET Project. For reviewers, there's quite a few projects and compensation, free tickets to the OWASP NYC Conference or 12.5% of the project's stipend (~$300-$600). Here's the recent e-mail from Paulo Coimbra:

Hello everyone,

I hope you all are well.

As you already know, OWASP has awarded 31 grants to promising application security researchers as part of the OWASP Summer of Code 2008 (SoC 2008).

As a result, I am here again taking your time - we are seeking out for project reviewers so as to have all these projects assessed.

Consequently, if you are interested in performing such task, please don't hesitate and let us know as soon as possible. As a volunteer organization, we rely absolutely on your contribution. Hence, we lively encourage you to put forward your application to assume this reviewer role.  

To make your decision please look at the following information:

Where are the projects to review? These projects can be found here.

What are the reviewers' main tasks?

A. The main tasks are the result of a set of rules previously established in both the OWASP Summer of Code 2008 initiative and the OWASP Project Assessment criteria .

B. To exemplify, please take into consideration the OWASP Skavenger Project.

C. Simplifying , I would say that the work review will basically consist in certifying that the project's objectives and deliveries were accomplished and, taking into consideration the OWASP assessment criteria, in certifying that the Beta Status was reached. Additionally we expect the reviewer always to be available to provide useful advice to the project developer. These tasks must be performed twice: the first one, the 50% Review, by June 29 and the second one, the Final Review, by September 15.

D. Regarding the question of the project status, it is important to clarify that, even though the majority of the projects have to reach Beta status, there are also some others, in which the status target is Release Quality. That is to say, that each project built on previous work done within OWASP (Existing OWASP Projects) should obtain Reviewers' agreement that a Release Quality stage was achieved.

3. Who can be a reviewer? If you are interested in contributing and feeling comfortable with the technical matters in question, you can be project reviewer. We encourage also the OWASP Summer of Code 2008 participants to take part in reviewing someone else's SoC 2008 project. However, please pay attention to the fact that, at least, one of the two Project Reviewers should be an OWASP Project or Chapter Leader.

4. Will this work be paid? Well, in terms of paying the market value of your work, we wouldn't dare say 'yes'. However, we will reward this contribution either with a free ticket to attend the OWASP NYC AppSec 2008 Conference or with 12,5% of the value of the project to be reviewed.

Where can I find the project's progress page in which I am interested?  That is to ask, where can I find the page similar to the OWASP Skavenger Project one? Currently, nowhere, but very soon each project will be supplied with its own progress page.

So, if I am interested in being one of the reviewers,
how should I proceed?

A. Please drop me a line to let me know about your interest.

B. I will put you in direct contact with the project's author.

C. Having reached the author's agreement, please inform us.

D. As all reviewers must have OWASP Board approval, we will inform you as soon as possible about their decision.  

To conclude, having any kind of doubt, don't hesitate and get back to us.

We thank you in advance, best regards,

Paulo Coimbra
OWASP Project Manager

Friday, May 9, 2008

First off, this is my blog for stuff for the OWASP .NET Project. It isn't moderated or officially endorsed by OWASP. And anything I write here, is my opinion or experience. Feel free to comment or criticize.

That being said, I'd like to use this blog as an online notebook to track progress and capture ideas that aren't necessarily ready for the OWASP .NET Project Wiki. I'd like to use this to preview articles and content and have anyone who is interested give me feedback. I will also use it for announcements about OWASP projects and OWASP events that are relevant to the .NET Project.

The status for the .NET Project as of 5/10/2008

Project Reorganization
I've spent more time on drafts and ideas. I put more links for pages up, but am still working on the content for roles. My draft is becoming more like a guide (and maybe that's what it should be).

I started a Google code project, OWASP .NET Content, to track content submissions, edits, reviews and archives. Specific status items can be found here. I'll keep it updated and when a critical mass is reached, I'll ping the mailing list. Each task will be listed, and you can get a status of what is being worked on. Feel free to join the project.

Media Outreach
I worked on the presentation and will put out "talking points" for the project (this is actually the current tasks that I am working on).

I'll put a link to the tracking document here. This week I'll send out a letter to the editor for MSDN, Code Magazine and hit up a few of the podcasts to see if anyone is interested. I'll also hit up OWASP again about their podcasting plan.

The difficulty I expect to have is that everything is a work in progress and everyone is short on time (this is why I started the Content project on Google Code, to get a good list of completed items to talk about).

Looking Ahead
Here are a few ideas that I'd like to explore beyond my commitment to the reorganization:

1. Measure / Countermeasure research for .NET technologies and platforms

I put up a page for OWASP .NET Vulnerability research. Has any of the stuff that we're putting into play been pen tested or is there sufficient guidance for security? Maybe, but OWASP .NET can be the clearinghouse for testing these projects.

2. Developing a Security Framework for ASP.NET

One of my personal fears is that as secure as I can make my site, or a client's site, that's all moot if you wander to a site that isn't secure. With the express editions of Visual Studio and the relatively cheap cost to run a .NET / SQL Server web application on a shared server, there's the potential of a lot of insecure code waiting to be exploited. I'd like to distill the SDL to a few checklists and push out a framework that gives a decent secure site. Some of the features that the framework would include:

  • Guidance navigator content (checklists for securing a site or service)
  • Provider model for security API (e.g. ESAPI .NET integration and realization
  • Webform and MVC flavors (including web controls using the API)
  • Unit tests
  • Access Control visualization - start with full exclusion and have an access control visualization for configuration and validation to test the controls.
  • Plugin / Provider framework for XSS / SQL Injection / Fuzzing / other vulnerability testing (ala NUNIT for penetration testing)
3. Interactive .NET Security Educational Materials

I've been using the Grava beta and it's a pretty engaging tool for education. It's obvious with the recent SQL Injection "worm" that applications are not being tested for basic security flaws. The problem is part tools and part education. And with the next generation of developers coming into the workforce, we have to provide the tools and education (and a discussion about consequences and ethics) to protect our users.

Comments are welcome.