SpoC 007 - Web Application Security put into practice

Back to SpoC 007 Selection page

AoC Candidate: Heiko

Project coordinator: Dinis Cruz

Project Progress: 45% Complete, Progress Page

Executive Summary
I'm trying to make the OWASP Top Ten and Guide project known in the programming community, but I understand that clear examples in the specific programming language and best practices with explanation educate the best. I'm at the chair for secure software at my university and I want to contribute practical examples, because I believe not to teach secure programming is a great oversight in today's education. Not only the programmers in large companies have to be aware of security impacts, but also their future employees and their freelance programmers. I'm with a large organization of freelance programmers, which I want to make aware of security flaws.

The Ruby on Rails Security project started this year and is the only security initiative for Ruby on Rails. Ruby is the fastest growing level A programming language, according to the Tiobe programming community index, partly because of its advertised simplicity. This is dangerous, as programmers could be enticed to do cargo cult programming without knowing the security impacts. I found several security holes in popular modules, and even the Rails framework itself generates potentially insecure code. Nevertheless, Rails provides good means against many of the OWASP Top Ten security flaws, but I believe these means have to be popularized much more.

Objectives and Deliverables
Create a security guide to the most popular web server software, Apache
 * Installation
 * secure configuration, emphasis on Rails, but not limited to it
 * file system privileges for Rails and Apache
 * anti profiling techniques for Apache
 * Modules and Mod_security configuration

Create a security guide to the popular database software, MySQL, as practical contribution to the OWASP Top 10 Insecure storage section
 * Installation
 * secure configuration, emphasis on Rails, but not limited to it
 * file system privileges for Rails and MySQL
 * MySQL access restriction techniques
 * encryption methods

Ruby on Rails security guide and code examples, with at least the following topics
 * Anti profiling techniques
 * Rails routes security
 * error handling and presentation, as in OWASP Top 10 Improper Error Handling
 * OWASP Top 10: XSS in Rails
 * OWASP Top 10: SQL injection in Rails
 * OWASP Top 10: Parameter injection in Rails
 * OWASP Top 10: Session handling in Rails
 * OWASP Top 10: Access control in Rails
 * handling of files
 * integrity
 * encryption and SSL
 * logging flaws
 * Ajax security

Code & other
 * means to check the security of MySQL
 * input validation guide, and implement it in Ruby
 * update the poorly documented guide at http://manuals.rubyonrails.com/read/chapter/40 which is the only official guide to security
 * usage guide for OWASP tools, also in connection with Rails
 * make the results known in the several communities I'm in
 * if applicable: submit code to Rails for security holes found

Long-term vision for the project
Make it available to the community and accept security notices and best practices from other users to constantly improve it.

Benefits to the OWASP

 * practical guides on how to put security into practice: the most popular web server software Apache and the popular database software MySQL
 * if applicable: additional examples and chapters for the OWASP Guide
 * the first and only fully-fledged security guide to a programming language and framework which is used by many large companies
 * security awareness of future employees and freelancers
 * more exposure of the OWASP

Why I should be sponsored for the project
I have been programming professionally for 10 years and created several software products, including Internet applications, and I always focused on security. I am currently graduating university, my thesis is about web application security. Recently, I started the Ruby on Rails security project, which is the only security project for Rails. I have always delivered my work on time, and I believe I have the knowledge to deliver good quality.

Back to SpoC 007 Selection page