Summit 2011 Working Sessions/Session028

Revision as of 10:59, 2 February 2011 by John Steven (Talk | contribs)

Jump to: navigation, search

Global Summit 2011 Home Page
Global Summit 2011 Tracks

WS. secure coding.jpg Protecting Information Stored Client-Side
Please see/use the 'discussion' page for more details about this Working Session
Working Sessions Operational Rules - Please see here the general frame of rules.
Short Work Session Description This section will focus on providing mechanisms for protecting important or sensitive data applications and services need to store client-side. Contexts this section aims to cover include:
  • Personal or user-specific information
  • Application-specific information (tokens, secrets)
  • Key configuration data, other EIS/service information

For the purpose of the Portugal Summit, the session will focus on development within a "classic" N-tier Java application environment.

Within the N-tier Java environment, the session will tackle the following development scenarios:

1) - Coat Check

  • Removing information from a client
  • Server-side storage, memento pattern
  • Solving scale issues

2) - Purse

  • Storing app-important information (like a purse)
  • Resisting attack with augmented plain-text storage!
  • Supporting back, reload, etc.
  • Patterns & design for anti-tampering protocols

3) - Nuclear Briefcase

  • Sensitive, opaque information
  • Shuttling information between 3rd parties

Future summits will address the following two contexts as well:

  • Phones (ios, Android)
  • RIA

However, for the purpose of this coming session, we will only conduct planning and 'homework assignments' for these contexts in the next session (likely Minnesota).

The session will work each of the three above development scenarios within the n-tier environment using the following work stream:

  • Define problem
  • Conduct Cigital-style Threat Model (TM) exercise
  • Co-design solution based on particular threats and attack vectors
  • Implement solution within provided sample application-ette
  • Discuss testing and verification strategies for solution.

Participants will be taken through the above work stream, an abbreviated 'build security in' process designed to focus on implementation (rather than documentation or assurance), to restructure applications to demonstrate security patterns, integrate existing security functionality, or build security controls as necessary.

Related Projects (if any)

Email Contacts & Roles Chair
John Steven @

Operational Manager
Mailing list
Subscription Page

Venue/Date&Time/Model Venue/Room
OWASP Global Summit Portugal 2011
Date & Time

Discussion Model
participants and attendees

Projector, whiteboards, markers, Internet connectivity, power

Proposed by Working Group Approved by OWASP Board

A practical guideline (cookbook?) for safely storing information in a client program, particularly browsers. Suggest tying recommendations to a threat model.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

Working Session Participants

(Add you name by clicking "edit" on the tab on the upper left side of this page)

Name Company Notes & reason for participating, issues to be discussed/addressed
Elke Roth-Mandutz @
GSO-University of Applied Sciences

Chris Schmidt @
Aspect Security

Justin Clarke @
Gotham Digital Science