Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Security Coordinator (securityaptusventures.com)
Date: Fri Feb 08 2002 - 11:55:47 CST
On Friday 08 February 2002 02:47, Slow2Show wrote:
> ok so since we have been focusing so much on
> testing lately(I think the discussions are great
> BTW)...I think it is time to throw in a blurb about
> helping out the wepApp devs out there.
> Lets make a set of functions/subs/methods etc. that
> will strip/parse input data or do other 'basic' tasks
> relating to security for devs working on webApp
> projects....this could be a user driven open source
> project, with out a development platform focus
> Just a thought....I don't know if this sort of thing has
> been done before for security specific code.
> University of Florida
> Disclaimer: I'm just a college kid!
It would have to be done for each specific webapp framework, but it shouldn't
be too hard to create a "reference set" of functions for particular
languages, like perl, php, and java. They could be implemented as callable
modules that would do things like "sterilize_form_input()" etc. It would be
best to break down the implementation of those functions into some very
specific sub-steps that could be subclassed and overridden for particular
uses. So you might have things like "remove_quotemarks()" which you could
override to tweak the behaviour of "sterilize_form_input()" wrt quotes for
instance. Another approach would be to pass lots of flags to a constructor to
tell it exactly what behaviour you want, but personally I like subclassing
better, it makes things much more "black box" (though its tricky in some OO
languages to implement that way). Certainly trivial in OO perl though!