Menu
▾
▴
[Owasp-input-api-developers] My thoughts on requirements
|
From: Gabriel L. <ga...@bu...> - 2002-06-27 04:35:16
|
Here's some thoughts on high level requirements for the filters project. I hope this can serve somewhat as an example, but also as a diving off place... 1. Support for all major web application development platforms This is really critical to be the security standard for web applications and also to be very complete. But, I think its also pretty important to highlight at a high level so that when we do designs we can do designs that facilitate development for the different platforms. By platforms I'm thinking J2EE/JSP/Servlets, ColdFusion, ASP, PHP, .Net, Perl, ... 2. Simple to use Security is hard to begin with, but forcing developers to jump through hoops isn't realistic given schedule needs, developers experience and knowlege, developer acceptance of the api, and such. Because of this, it really needs to be something that the developer can easily integrate into their application, and has some clear easy to follow steps to put it in in the right places to offer real security. 3. Flexible This one is somewhat in conflict with the one above, but I think we can remedy this in the design process by building mutliple layers that allow interaction in different ways. So, while I may want to just have something that will slide into to the development platform I'm using, I think I'd also like something I can put into a novel application that could be built from scratch or something that can be used with an application that is using http to do new and exiting things. Along the lines of the diff between http proper and http extended to handle WebDAV. 4. Safe This api should do what it says it should do and should be very clear about where it stops, so that I understand what I'm protected from and what I'm left to do on my own. When it says it protects from something, there shouldn't be a sneaky way around it. (in lot of ways this is really where I think canonicalization fits in...) 5. Complete It should offer tools and design patterns to help me build a totally secure web application. Where building generic tools to accomplish the job doesn't really fit, this api should allow me to enhance or extend it and in fact encourage me to so that my specific needs are met for enhancing security. For instance, in the case of data type validation. Suppose I have an ID parameter that is used to determine what document we are downloading from a dynamic web application. Some ids are allowed for some users and others are not... This is really a very common design pattern for web applications and a poplular spot for security problems. While its good for us to be able to validate at least that we are getting a numeric value, it would be really nice to be able to plug in acceptable values to custom code, a collection in the platforms session store, a (potentially cached) database query and so forth... I kind of feel like these things might be a little bit higher level then they should be, but maybe they will serve as a tool to get the ball rolling. -gabe |
