Friday, May 9, 2008

First off, this is my blog for stuff for the OWASP .NET Project. It isn't moderated or officially endorsed by OWASP. And anything I write here, is my opinion or experience. Feel free to comment or criticize.

That being said, I'd like to use this blog as an online notebook to track progress and capture ideas that aren't necessarily ready for the OWASP .NET Project Wiki. I'd like to use this to preview articles and content and have anyone who is interested give me feedback. I will also use it for announcements about OWASP projects and OWASP events that are relevant to the .NET Project.

The status for the .NET Project as of 5/10/2008

Project Reorganization
I've spent more time on drafts and ideas. I put more links for pages up, but am still working on the content for roles. My draft is becoming more like a guide (and maybe that's what it should be).

I started a Google code project, OWASP .NET Content, to track content submissions, edits, reviews and archives. Specific status items can be found here. I'll keep it updated and when a critical mass is reached, I'll ping the mailing list. Each task will be listed, and you can get a status of what is being worked on. Feel free to join the project.

Media Outreach
I worked on the presentation and will put out "talking points" for the project (this is actually the current tasks that I am working on).

I'll put a link to the tracking document here. This week I'll send out a letter to the editor for MSDN, Code Magazine and hit up a few of the podcasts to see if anyone is interested. I'll also hit up OWASP again about their podcasting plan.

The difficulty I expect to have is that everything is a work in progress and everyone is short on time (this is why I started the Content project on Google Code, to get a good list of completed items to talk about).

Looking Ahead
Here are a few ideas that I'd like to explore beyond my commitment to the reorganization:

1. Measure / Countermeasure research for .NET technologies and platforms

I put up a page for OWASP .NET Vulnerability research. Has any of the stuff that we're putting into play been pen tested or is there sufficient guidance for security? Maybe, but OWASP .NET can be the clearinghouse for testing these projects.

2. Developing a Security Framework for ASP.NET

One of my personal fears is that as secure as I can make my site, or a client's site, that's all moot if you wander to a site that isn't secure. With the express editions of Visual Studio and the relatively cheap cost to run a .NET / SQL Server web application on a shared server, there's the potential of a lot of insecure code waiting to be exploited. I'd like to distill the SDL to a few checklists and push out a framework that gives a decent secure site. Some of the features that the framework would include:

  • Guidance navigator content (checklists for securing a site or service)
  • Provider model for security API (e.g. ESAPI .NET integration and realization
  • Webform and MVC flavors (including web controls using the API)
  • Unit tests
  • Access Control visualization - start with full exclusion and have an access control visualization for configuration and validation to test the controls.
  • Plugin / Provider framework for XSS / SQL Injection / Fuzzing / other vulnerability testing (ala NUNIT for penetration testing)
3. Interactive .NET Security Educational Materials

I've been using the Grava beta and it's a pretty engaging tool for education. It's obvious with the recent SQL Injection "worm" that applications are not being tested for basic security flaws. The problem is part tools and part education. And with the next generation of developers coming into the workforce, we have to provide the tools and education (and a discussion about consequences and ethics) to protect our users.

Comments are welcome.