Today I sent out an email to hopefully kick start OWASP's developer outreach. Recipients were an interesting mix of developers and appsec experts. If you want to join us just subscribe to the Developer Outreach mailing list.
Here's the content of the initial email:
The web is developing at great speed and I love it. But when I read that the average website has nearly 13serious vulnerabilities I get sad . It's hindering us from doing more stuff on Internet. Douglas Crockford even suggested we scrap the current HTML5 spec and fix cross-site scripting first . We have a problem.
I'd like to get rid of those 13 vulnerabilities per site and I'm convinced designers and developers of web frameworks and applications are the ones who can make it happen. We just have to get the right things into their toolboxes. This has been called "developer outreach" and currently it's a failure.
Proposed Solution – Security Itches
My first proposition is this: Instead of pushing coding guidelines and security tools onto developers I think we should start by asking them "What are your security itches?". Whatever we get back will be our starting point. Maybe we'll pick ten itches and publish good solutions.
What if they have the *wrong* itches? Well, the goal of the outreach is 1) to find out what developers think, and 2) address their itches to build some well-needed credibility. Before we have credibility we cannot push coding guidelines. And if developers think SSL certs are their primary problem that *is* important.
Proposed Solution – Open Test Data
Security people tell developers to "do input validation". Input validation is no news to developers. The problem is defining the data model andtestingthe input validation. We can do something important here – building opentestdata.org. I own the domain and dream about the following beautiful community effort:
You go to the site and can either "submit test data" or "download test data". On the submission page you can anonymously enter e.g. a Portuguese postal address, an Indian human name, a Swedish postal/zip code ... or 100 SQL injection strings. The effort is almost zero.
On the download page you choose your format and download in context. "We have European customers so we want European human names, postal addresses, and phone numbers". Developers will love it. And that's where we can start promoting security testing!
Questions for You
First question – do you like these ideas? Are they the right way forward? Would you like to be part of making it happen?
How should we ask for security itches? And how do we collect answers? Email? Remember we'll probably get one-liners as well as small essays.
How do we get the test data site flying? App and infrastructure? Auditing à la Wikipedia with a couple of dedicated moderators?