Gabriel, great idea! This is a problem with OWASP in general, but definitely we can do better on this doc. I think we'll first focus on putting our words in action with help in contributing some of the features into Django first, and then revisit the doc. Mainly I'd like to assess what pieces of it are way too complex to implement as part of a core framework, and which ones are viable. Once we revise the list we'll look at ways to better present the data rather than a huge single doc.
Thanks! Rohit On Feb 21, 11:31 pm, Gabriel Hurley <gab...@gmail.com> wrote: > I've got one bit of feedback to offer on the document (which I did > bookmark for future reference): > > Monolithic documents present a huge problem for finding, using and > retaining information. > > A very useful and interesting extension of this type of project would > be to work with people who have experience with information > architecture and data visualization to find new ways of presenting > this information. An interface that was simple, clear, interactive, > layered and multi-faceted would make your manifesto into a drastically > more valuable tool. > > I would love to be able to sit down with an interface to all the > information you've gathered and "explore it". Ideally it would allow > me to visually follow threads of commonalities in vulnerabilities, see > clusters of the most common problem areas, and zoom in to the level of > detail you've gathered on any individual item if I so choose. > > Either way, thank you for providing an interesting resource. > > All the best, > > - Gabriel Hurley > > On Feb 21, 5:09 pm, Rohit Sethi <rkli...@gmail.com> wrote: > > > > > > > > > Russell, awesome feedback. Thanks for being candid. We are on the same > > page that the manifesto is really not all that important in and of > > itself: The document piece is really only designed to give frameworks > > a platform to say "hey, these are what we support" so that web app > > developers building security-sensitive apps get an idea of how much > > help they'll get from various framework. > > > I didn't want to bring this up until I got at least one response, but > > my team is busy seeing which manifesto requirements are: > > > a) Already being fulfilled by Django (great- no more work to be done!) > > b) Have been fulfilled elsewhere (e.g. OWASP ESAPI for Python) and > > could be built into Django > > c) Have not yet been done > > > We'll be looking to address b) and c) by either porting or building > > ourselves. We hope we can get your feedback on why some things aren't > > being implemented (if we can't find a pre-existing discussion in > > existing tickets and/or this group). > > > The manifesto is designed to only a starting point: it's taking > > several vulnerabilities, beyond the OWASP top 10, into something > > targeted specifically for frameworks. It's definitely not intended to > > be implemented by every framework in the world - nor should it be. > > > So, we (myself and at least four of our developers) will be working > > closely with the Django community. I will be watching the list closely > > and providing feedback when I can. > > > Looking forward to working with you > > > Cheers, > > > Rohit > > > On Feb 21, 7:42 pm, Russell Keith-Magee <russ...@keith-magee.com> > > wrote: > > > > On Mon, Feb 21, 2011 at 11:21 PM, Rohit Sethi <rkli...@gmail.com> wrote: > > > > Django devs, I wanted to thank you for a truly awesome framework. > > > > Programming with Python, and web app dev in Django, is truly a > > > > pleasure. Our company, Security Compass, uses Django quite > > > > substantially internally. > > > > > We put together a document called the Secure Web Application Framework > > > > Manifesto for the Open Web Application Security Project (OWASP) - see: > > > >http://www.owasp.org/index.php/Projects/OWASP_Secure_Web_Application_... > > > > > I would love to get your feedback about this project. How much of this > > > > is realistic and how much of it is pie in the sky? Is it relevant for > > > > you? If not, how does this document need to change to become relevant? > > > > Clearly, Django takes security seriously which is a major reason we > > > > use it. Please feel free to be candid - if you think the document > > > > sucks and could never be used, it's important you let us know that > > > > too. > > > > Hi Rohit, > > > > A lot of effort has clearly gone into this document. I haven't gone > > > through it with a fine-toothed comb, but it seems like a reasonably > > > thorough discussion of security issues affecting web frameworks. > > > > However, if you're looking for frank feedback, here goes: > > > > Who exactly is the intended audience for this document? What is/are > > > the action item(s) stemming from it? > > > > More broadly, what it is you are hoping to achieve by writing this > > > document? > > > > Reading between the lines, I'm guessing you would like to see every > > > web framework in the world adhering to best practices, with no obvious > > > and know security vulnerabilities. This is a laudable goal, and I > > > certainly share this aspiration. > > > > But there are two ways to achieve this goal. The first is to sit in a > > > tower, passing down Solomonic judgements on "the way it should be". > > > The second is to actually get involved and help make the change you > > > want to see in the world. > > > > Writing manifestos may give you a sense of personal satisfaction at > > > the volume of material you have generated, but it doesn't actually > > > change the world at all. It merely provides the reference material > > > that others may be able to use to inform the changes that they are > > > making. This is a useful resource, but it isn't *in itself* a catalyst > > > for change. > > > > I'm not suggesting that you should spend all your time being a Django > > > developer (although I certainly wouldn't turn away the extra help). My > > > point is that in volunteer open source communities, the only way to > > > actually bring about change is to actively engage a developer > > > community. Become a known, trusted voice -- in this case, on security > > > issues. > > > > For example, the Django-dev list has just recently gone through a > > > series of discussions about our default password hashing policies. > > > Some of these discussions have hinged on interpretations of what > > > constitutes best practice in these areas. This would be a golden > > > opportunity for someone with relevant experience and knowledge to > > > speak up, offer advice gleaned from experience with other frameworks, > > > and generally establish topic expertise. > > > > There are other examples of people doing this very effectively. Graham > > > Dumpleton is the developer of mod_wsgi. He's isn't a member of the > > > Django core team, but he is *very* well known to the Django community > > > because he is actively involved in our mailing lists, issue tracker, > > > and so on. If a WSGI/Apache configuration related issue arises, Graham > > > is usually there giving advice. And he doesn't just do this for Django > > > -- he lurks in a similar way on other Python frameworks. He is > > > actively involved across the Python web framework community, pushing > > > an agenda that he is passionate about -- the WSGI interface to Apache. > > > > OWASP already maintains a list of vulnerabilities, threat and attacks. > > > These are very well documented and explained analyses of individual > > > potential problems, and as a whole, serves as a magnificent reference > > > resource. > > > > Compiling this list (or a subset of that list) into a monolithic > > > "manifesto" doesn't improve the quality or prescience of the > > > information. A manifesto is a lovely document that I might read once, > > > perhaps bookmark or tweet, and then move on. That doesn't actually > > > help bring about any change. > > > > What *would* help bring about change is having someone with expertise > > > actually getting involved -- participating in discussions, starting > > > new discussions, raising tickets, auditing code when new problems are > > > identified, and so on. > > > > tl;dr -- You won't get any argument out of me that the goals of OWASP > > > are important. There are things that are on OWASP's lists that Django > > > could do better. Sometimes this is out of ignorance, sometimes it's a > > > matter of history, and sometimes there are other concerns. But writing > > > long documents describing what other people should do doesn't help > > > change anything -- we need people to actually get involved and engage > > > us in a specific discussions about what we could be doing better. > > > > Yours, > > > Russ Magee %-) -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
