Hi all, Many of us have argued that the features of underlying web applications frameworks will make a major impact on the security of the individual applications built on top of them.
To that end, a few of my colleagues and myself have put together a “Secure Web Application Framework Manifesto”. In many ways, this is the inverse of the work that Arshan and the Intrinsic Security Working Group did- our emphasis is on providing a set of requirements for frameworks to follow, rather than evaluating the frameworks themselves. Ideally, frameworks will adhere to the manifesto and publish a list of the features implemented. This helps developers make intelligent decisions about the underlying security of the frameworks they use, and should have the additional benefit of enhancing the default security of web applications. I’d like to propose turning this into an OWASP project, but wanted to solicit feedback from the security community prior to turning it into an official project. Here’s the link to the paper: http://labs.securitycompass.com/papers/secure-web-application-framework-manifesto-v0-05.pdf -- Rohit Sethi Security Compass http://www.securitycompass.com _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________