Difference between revisions of "SpoC 007 - Web Application Security put into practice"

From OWASP
Jump to: navigation, search
(New page: '''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]''' '''AoC Candidate''': Heiko '''Project coordinator''': Dinis Cruz '''Project P...)
 
Line 6: Line 6:
 
'''Project coordinator''': Dinis Cruz
 
'''Project coordinator''': Dinis Cruz
  
'''Project Progress''': 45% Complete, [[SpoC 007 - Web Application Security put into Practice - Progress Page|Progress Page]]
+
'''Project Progress''': 60% Complete, [[SpoC 007 - Web Application Security put into Practice - Progress Page|Progress Page]]
  
 
== Heiko - Web Application Security put into practice ==
 
== Heiko - Web Application Security put into practice ==
  
 +
This project is about web application security put into practice, because I understand that clear examples in the specific programming language and best practices with explanation educate the best.
  
=== Executive Summary ===
+
The Ruby on Rails Security project [http://www.rorsecurity.info/] started this year and is the only security initiative for Ruby on Rails. Ruby is the fastest growing level A programming language, according to the Tiobe programming community index [http://www.tiobe.com/tpci.htm], partly because of its advertised simplicity. This is dangerous, as programmers could be enticed to do cargo cult programming [http://en.wikipedia.org/wiki/Cargo_cult_programming] without knowing the security impacts. I found several security holes in popular modules, and even the Rails framework itself generates potentially insecure code. Nevertheless, Rails provides good means against many of the OWASP Top Ten security flaws, but I believe these means have to be popularized much more.
  
I'm trying to make the OWASP Top Ten and Guide project known in the programming community, but I understand that clear examples in the specific programming language and best practices with explanation educate the best. I'm at the chair for secure software at my university and I want to contribute practical examples, because I believe not to teach secure programming is a great oversight in today's education. Not only the programmers in large companies have to be aware of security impacts, but also their future employees and their freelance programmers. I'm with a large organization of freelance programmers, which I want to make aware of security flaws.
+
== Objectives ==
 +
* Create a security guide to the most popular web server software, Apache
 +
* Create a security guide to the popular database software, MySQL
 +
* Ruby on Rails security guide and code examples for each of the OWASP Top Ten
  
The [http://www.rorsecurity.info/ Ruby on Rails Security project] started this year and is the only security initiative for Ruby on Rails. Ruby is the fastest growing level A programming language, according to the [http://www.tiobe.com/tpci.htm Tiobe programming community index], partly because of its advertised simplicity. This is dangerous, as programmers could be enticed to do [http://en.wikipedia.org/wiki/Cargo_cult_programming cargo cult programming] without knowing the security impacts. I found several security holes in popular modules, and even the Rails framework itself generates potentially insecure code. Nevertheless, Rails provides good means against many of the OWASP Top Ten security flaws, but I believe these means have to be popularized much more.
+
== Spring Of Code 007 ==
 +
This project was selected for the spring of code 007 [http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Applications#Heiko_-_Web_Application_Security_put_into_practice].
  
=== Objectives and Deliverables ===
+
'''Progress'''
 
+
* Apache Guide (done)
Create a security guide to the most popular web server software, Apache
+
* MySQL Guide (done)
* Installation
+
* Ruby On Rails Guide (on the way)
* secure configuration, emphasis on Rails, but not limited to it
+
* file system privileges for Rails and Apache
+
* anti profiling techniques for Apache
+
* Modules and Mod_security configuration 
+
 
+
Create a security guide to the popular database software, MySQL, as practical contribution to the OWASP Top 10 Insecure storage section
+
* Installation
+
* secure configuration, emphasis on Rails, but not limited to it
+
* file system privileges for Rails and MySQL
+
* MySQL access restriction techniques
+
* encryption methods
+
 
+
Ruby on Rails security guide and code examples, with at least the following topics
+
* Anti profiling techniques
+
* Rails routes security
+
* error handling and presentation, as in OWASP Top 10 Improper Error Handling
+
* OWASP Top 10: XSS in Rails
+
* OWASP Top 10: SQL injection in Rails
+
* OWASP Top 10: Parameter injection in Rails
+
* OWASP Top 10: Session handling in Rails
+
* OWASP Top 10: Access control in Rails
+
* handling of files
+
* integrity
+
* encryption and SSL
+
* logging flaws
+
* Ajax security
+
 
+
Code & other
+
* means to check the security of MySQL
+
* input validation guide, and implement it in Ruby
+
* update the poorly documented guide at http://manuals.rubyonrails.com/read/chapter/40 which is the only official guide to security
+
* usage guide for OWASP tools, also in connection with Rails
+
* make the results known in the several communities I'm in
+
* if applicable: submit code to Rails for security holes found
+
 
+
=== Long-term vision for the project ===
+
 
+
Make it available to the community and accept security notices and best practices from other users to constantly improve it.
+
 
+
=== Benefits to the OWASP ===
+
 
+
* practical guides on how to put security into practice: the most popular web server software Apache and the popular database software MySQL
+
* if applicable: additional examples and chapters for the OWASP Guide
+
* the first and only fully-fledged security guide to a programming language and framework which is used by many large companies
+
* security awareness of future employees and freelancers
+
* more exposure of the OWASP
+
 
+
=== Why I should be sponsored for the project ===
+
 
+
I have been programming professionally for 10 years and created several software products, including Internet applications, and I always focused on security. I am currently graduating university, my thesis is about web application security. Recently, I started the Ruby on Rails security project, which is the only security project for Rails. I have always delivered my work on time, and I believe I have the knowledge to deliver good quality.
+
  
 +
== Resources ==
 +
* The Ruby on Rails Security project [http://www.rorsecurity.info/]
  
 
'''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]'''
 
'''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]'''

Revision as of 04:58, 14 July 2007

Back to SpoC 007 Selection page


AoC Candidate: Heiko

Project coordinator: Dinis Cruz

Project Progress: 60% Complete, Progress Page

Contents

Heiko - Web Application Security put into practice

This project is about web application security put into practice, because I understand that clear examples in the specific programming language and best practices with explanation educate the best.

The Ruby on Rails Security project [1] started this year and is the only security initiative for Ruby on Rails. Ruby is the fastest growing level A programming language, according to the Tiobe programming community index [2], partly because of its advertised simplicity. This is dangerous, as programmers could be enticed to do cargo cult programming [3] without knowing the security impacts. I found several security holes in popular modules, and even the Rails framework itself generates potentially insecure code. Nevertheless, Rails provides good means against many of the OWASP Top Ten security flaws, but I believe these means have to be popularized much more.

Objectives

  • Create a security guide to the most popular web server software, Apache
  • Create a security guide to the popular database software, MySQL
  • Ruby on Rails security guide and code examples for each of the OWASP Top Ten

Spring Of Code 007

This project was selected for the spring of code 007 [4].

Progress

  • Apache Guide (done)
  • MySQL Guide (done)
  • Ruby On Rails Guide (on the way)

Resources

  • The Ruby on Rails Security project [5]

Back to SpoC 007 Selection page