Yes! :)I am speaking at the OWASP EU conference in Belgium (I hope people speak English 'cos my French is now quite appalling) at the end of May, and I have a paper submission for O'Reilly's OSCON in early July. I am still mulling over whether to submit a proposal to BlackHat as although I love junkets, I can't do too many - I have to work as well :)
Next, once the chapter is released, it will be a major new addition to the OWASP Guide 2.1, and I'm sure we'll be doing something about promoting it at that point.
There's not really any technology required to secure Ajax; it's all about the architecturally correct location of authorization, validation and preventing injection attacks. There's no magic technical bullet, WAF, or similar which can help fix these things.
The issues with Ajax aren't really new, it's just that devs are introducing new classes of vulnerability because they have forgotten the hard lessons learnt in the past.
thanks, Andrew On 15/03/2006, at 12:33 PM, Eric Swanson wrote:
My question: How does OWASP plan to educate the public regarding security concerns raised by AJAX and, indeed, any new methodology or technology andwhat is its plan to develop tools that translate this education intopractice? *AJAX and related methodologies should be addressed by all groupswithin OWASP, so I'm guessing that the .NET group isn't the only group actively discussing it. (AFLAX - a Flash version also raises the same concerns.)
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
