A Journey in Security

Encryption Isn't Enough

2015-08-03T13:28:00.000-07:00

Companies need to focus on developing secure coding practices and security education.

http://www.informationweek.com/cloud/software-as-a-service/twitter-security-pro-encryption-isnt-enough/d/d-id/1321432

I shared my thoughts last week Thomas Clayborn at InformationWeek about the state of security and why encryption is not the answer to all problems.

You can read the full story at the link above.

-Michael Coates - @_mwc

OWASP Bay Area - Now with a meetup group

2014-12-09T15:38:00.002-08:00

Are you in the Bay Area and interested in application security? The local OWASP chapter now has a meetup group. Just join the group and you'll be notified of all the great upcoming events. The events rotate throughout the Bay Area so we can attract a variety of attendees.

meetup.com/Bay-Area-OWASP/

Also, keep an eye out for what's happening in September. The big OWASP AppSecUSA conference will be hosted here in San Francisco! Mark your calendars now (and buy a discounted early bird ticket) AppSecUSA.org

-Michael Coates - @_mwc

OWASP AppSensor Book Signing at AppSecUSA

2014-09-15T17:12:00.000-07:00

Join me at OWASP AppSecUSA for a free signed copy of the new OWASP AppSensor Book. I’ll be at the Shape Security booth in the expo area on Thursday afternoon at 4pm.

New to AppSensor?

Imagine if your application could detect a threat before your system and data is breached and automatically ban that user from your application. In short, this is what AppSensor can accomplish.

AppSensor is a free and open source project that provides a framework to equip your application with an advanced defense system. This defense system enables your application to understand malicious activity and respond in real time to protect your sensitive assets and data.

How is this different than traditional IDS and WAFs?

Generic systems can only detect generic attacks. Your application is unique and needs a defensive system that can detect unique attacks targeting your business logic and access control system. Since AppSensor is built inside your application you have full visibility to any malicious activity or probes attempting to compromise your application.

Stop by the Shape Security both for a free signed copy of the AppSensor booth!

-Michael Coates - @_mwc

Has OWASP Helped You? Retweet and help OWASP

2014-08-12T14:21:00.002-07:00

Has OWASP helped you or your org? RT and spread the word about AppSecUSA conf #infosec http://t.co/XS8ZC6ySMQ pic.twitter.com/1zOuKCZp5Y
— Michael Coates (@_mwc) August 12, 2014

-Michael Coates - @_mwc

Google's Project Zero

2014-07-17T08:45:00.002-07:00

Google recently announced Project Zero, an initiative to “to significantly reduce the number of people harmed by targeted attacks“. Project Zero is inverting the traditional bug bounty program and there are many positive elements to this new initiative. I'm a big proponent of bug bounty programs and worked with them closely at Mozilla (Mozilla created the first major bug bounty program for Firefox in 2004).

In addition to the positive elements I got a chance to also discuss some of the challenges Project Zero may face with Antone Gonsalves @antoneg at csoonline.com

Google bug-hunting Project Zero could face software developer troubles,
Antone Gonsalves | CSO | Jul 16, 2014

-Michael Coates - @_mwc

Avoiding The Next Heartbleed - LinkedIn Publish

2014-04-17T13:43:00.002-07:00

Avoiding The Next Heartbleed

How should companies learn from Heartbleed to be better prepared for the next major security event?

Full story
https://www.linkedin.com/today/post/article/20140417203003-8374308-avoiding-the-next-heartbleed

-Michael Coates - @_mwc

Discussing Heartbleed

2014-04-16T11:34:00.001-07:00

There's plenty of information out there about Heartbleed. I posted a high level analysis on the Shape blog and there's also an OWASP page up on the topic.

Over the past week I had the opportunity to speak with several organizations about the vulnerability, what is at stake and how organizations should be defending their applications and users.

'Heartbleed' bug in web technology seen as major threat to user data

How to defend against the OpenSSL Heartbleed flaw

-Michael Coates - @_mwc

OWASP AppSec Keynote - Security in an Interconnected and Complex World of Software

2014-03-25T02:00:00.000-07:00

Last week I delivered the closing keynote at the OWASP AppSec Apac conference held in Tokyo, Japan. Riotaro Okada, Sen Ueno, Robert Dracea and the entire OWASP Japan chapter put the amazing conference together.

The slides are posted and a video recording should be available soon.

-Michael Coates - @_mwc

Snapchat Hacked - Aware of Vulnerability for 4 Months

2014-01-02T17:02:00.002-08:00

Snapchat has been hacked and 4.6 million usernames and phone numbers have been exposed. I spoke with Emily Chang on Bloomberg West about the compromise and the risk to users.

As a result of the flaw all of Snapchat's users, reportedly around 8 million, are at risk. You can see if your data is part of the 4.6 millions already compromised by entering your username here http://lookup.gibsonsec.org/. Even though the last 2 digits of the phone number are omitted the full phone numbers have been breached.

Timeline of Events

8/28/2013 - GibsonSecurity discloses potential security vulnerabilities to Snapchat and ZDnet covers the story too
12/24/2013 - GibsonSecurity provides full disclosure of the vulnerability and proof of concept for Find_Friends and bulk account creation attacks. Per GibsonSecurity this is in response to receiving little communication from Snapchat and no traction in resolving the security vulnerabilities in over 4 months
12/27/2013 - Snapchat issues a blogpost acknowledging the potential weaknesses and describes the issue as theoretical. They also assure customers that they've added additional controls to prevent such an attack.
1/1/2014 - An unknown 3rd party unrelated to GibsonSecurity exploits the vulnerability, obtains data on 4.6 million users and provides the data publicly at snapchatdb.info. The last 2 digits of the phone number are obscured.

The Vulnerability
Snapchat's API is not supposed to be publicly used but that doesn't stop anyone from reverse engineering the protocol to determine how it works and how to initiate various actions. GibsonSecurity, a self reported group of "poor students, with no stable source of income" from Australia, did just that.

By design, Snapchat provides a feature for users to locate friends by their phone number. Using the API it was trivial for GibsonSec to leverage automation to initiate numerous requests to this feature. Since phone numbers follow a predictable pattern XXX YYY ZZZZ, the automation simply iterated through each number until the response indicated the number matched a valid user account. When a match was hit the associated Snapchat username was returned for the provided phone number.

Screenshot from snapchatdb.info

Why didn't Snapchat fix this?
Excellent question. Snapchat either didn't understand the issue, put too much faith in their defensive solutions, or deprioritized the issue to focus on feature development. At this point Snapchat has said very little about the issue. Unfortunately startups are increasingly targeted by attackers as they quickly amass a large amount of user data. Although the company may be strapped for engineers, they must realize that once they have valuable data (user data, credit card info, etc) they will be a target.

Rate Limiting and IP Blocking
The minimum defensive control is rate limiting and IP blocking of malicious activity. Unfortunately even these controls quickly fail when the attack is distributed across a botnet. In those situations you must automatically determine human activity from bot activity. While captures are one approach, they are hugely disruptive to users and provide declining defensive value against malicious bots.

Working with Security Researchers
As someone who has worked with the security research community for many years at Mozilla and OWASP there is a lot for Snapchat to learn here.

Acknoweldge the security researchers and thank them for providing the security information. It's unclear what response Snapchat provided, but from GibsonSec's comments it appears there was little communication.
Keep communication lines open with the researchers. Copy them into the bug and provide regular updates on progress. Also ask them if they'd like to take another look at your proposed defensive solution.
Work to fix the issue quickly. There are always competing priorities, but if protecting user data is not extremely high on your list, then you should reevaluate whether users should trust you at all.
Don't publicly downplay a reported security issue as "theoretical". At this point you are inviting someone to prove you wrong - often without the benefit of responsible disclosure.
Provide the public with honest and frequent updates. Forthright communication goes a long way. A good incident response and communication plan can keep a bad situation from getting worse. A bad plan; however, can be a catalyst for negative press in addition to the issue at hand.

The security community can be a wonderful group of talented researchers. In many cases they are working out of intellectual curiosity and want to help companies when they've found flaws. However, dismissing those efforts or pushing them to the back burner can have devastating effects.

In the end, if you are asking users to trust their data with your company then make sure to hold up your end of the bargain - take security seriously and prioritize efforts whenever a security concern arises.

*** Update ***
Snapchat has recently issued a blogpost indicating they plan to allow users to opt-out of the find friends feature, provided they've validated ownership of their phone number. An opt-out approach is unfortunate since users will be vulnerable and exposed by default.

Snapchat also more clearly documented the method for security researchers to contact them at security@snapchat.com. All companies should maintain security@<theircompany>.com

-Michael Coates - @_mwc

The Target breach, Encrypted PINs, and Customer Safety

2013-12-30T01:00:00.000-08:00

On Friday I sat down with Jon Erlichman on Bloomberg West to discuss the recent Target breach, what we know, and what risks face consumers.

Timeline of events & what we know

12/19 Target acknowledges breach of credit card and debit card data used in stores between Nov. 27 and Dec. 15, 2013
12/20 Target update indicates PINs are not at risk "At this time, there is no indication that there has been any impact to PIN numbers."
12/21 Chase Bank changes debit card daily limits for impacted customers to $100 cash withdrawals and $300 for purchases. This impacts 2 million Chase accounts
12/27 Target update reverses initial statement on 12/20 and confirms that additional investigation shows that encrypted PINs were stolen
12/29 Chase Bank maintains limits on impacted accounts but raises daily limits to $250 cash withdrawal and $1500 purchase

Encryption of PINs
On Friday, December 27th Target revealed that the encrypted PINs had been compromised. The press release includes a few important statements:

Target doesn't have the decryption key - "Target does not have access to nor does it store the encryption key within our system. The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor."
Triple DES encryption - "PIN is encrypted at the keypad with what is known as Triple DES"
Target claims customers are safe - "We remain confident that PIN numbers are safe and secure" and "debit card accounts have not been compromised due to the encrypted PIN numbers being taken"

Are customers safe?
I'm not surprised to see Target attempting to calm customers' fears with their statements about the security of the PINs. However, I'm not convinced I'd support their optimism of safety. Triple-DES encryption, when used correctly, does provide strong encryption and it would be infeasible to brute force the encryption key. However, even in an ideal use case there are several weaknesses to Triple DES that could impact the effective strength.

What could go wrong with Triple DES?
But, when used incorrectly Triple DES may only provide the illusion of security for these PINs. Here are two scenarios that could put PIN data immediately at risk:

Triple DES encryption is configured with Electronic Code Book (ECB) -or-
Triple DES encryption is configured with Cipher-block Chaining (CBC) and uses the same Initialization Vector for encryption of each PIN

In these situations the encrypted output would be the same if the input (i.e. the PIN) is the same. This allows attackers to perform analysis of the encrypted PIN data and compare the results with frequency analysis of PIN selection to make reasonable guesses about which encrypted value matches to what original PIN. In other words, if the most common encrypted value is "51 91 ca 27 be 68 c2 21" then there's a really good chance the original PIN for those users is 1234.

Other indications of concern
Another reason to be cautious about the safety of breached users is the actions taken by Chase. In the height of the Christmas season Chase bank changed limits for all impacted customers. This may be a cautionary move by Chase with memories of the 2009 RBS WorldPay attack that resulted in the loss of $9 million in a matter of hours. However, such a decision made in the prime spending hours of Christmas must have been thoroughly discussed and had supporting information justifying their concerns.

Lastly, we don't know what other information will be uncovered during the investigation, or worse, won't be uncovered because the investigation can't detect it. Target themselves initially reported that PINs were safe and unaffected only to later find out, as their investigation continued, that the encrypted values were stolen.

Advice to Customers
My advice for customers involved is to proactively request new debit cards. Credit card fraud can be easily reversed but debit card fraud can result in inaccessibility to lost funds for a period of time during the dispute.

-Michael Coates - @_mwc

Gmail Changes Enables Tracking of User Email Activity

2013-12-12T16:13:00.001-08:00

Changes to Gmail Image Handling Enables Tracking of User Activity with Emails

Google has just modified Gmail so images automatically load within emails.

An important privacy element was omitted from discussion with this change. The change to image handling in gmail creates a reliable method for companies and advertisers to track if a user opens any email sent by the company/advertiser.

This is accomplished since the image within the email can be accompanied with a unique URL parameter that acts as a tracking beacon. If a user opens the email then the image will be automatically loaded and the beacon will be sent back to a web server controlled by the sender. This provides an alert that the specific user opened the email.

Previously Gmail blocked images by default and required users to take a specific action to display the images. So while this beacon based email tracking has always been possible, the default handling in gmail previously made it an unreliable tracking method that wasn't worth the effort.

How Does The Tracking Work?
In this example the company sending the email would own site.com

Company crafts an email and includes an image with a tracking beacon number within a url parameter
http://site.com/picture.jpg?beacon=0001234
User opens the email within gmail and the browser automatically requests the image included in the email
Google has modified the email so the image new resolves through the new proxy service. This means the url from step #1 now looks like this in the source
https://ci4.googleusercontent.com/proxy/wLmL7aeWQ5zwvPCbo5nG=s0-d-e1-ft#http://site.com/picture.jpg?beacon=0001234
The browser automatically requests the image
The google proxy service at ci4.googleusercontent.com receives this request and makes an outbound request to http://site.com/picture.jpg?beacon=0001234
The sender of the email returns picture.jpg and records that user 0001234 has opened the email

Here's a screenshot of my webserver showing the request which includes the URL parameter and also a mention to google's domain ggpht.com

[12/Dec/2013:23:48:10 +0000] "GET /Turkish_Van_Cat.jpg?id=01234 HTTP/1.1" 200 1718186 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (via ggpht.com)"

In practice companies wishing to track email activity will simply add a hidden 1 pixel by 1 pixel image that will perform this tracking unbeknownst to the end user.

Opt-Out Argument
The argument that you can opt-out of this new setting is a red-herring. If only those that read this post take actions to opt-out then the vast majority of people can still be tracked using this technique.

Security Win and Privacy Loss?
Perhaps there are security merits to this change. However, the collateral damage should not be ignored and overlooked in this change that impacts all gmail users.

-Michael Coates - @_mwc

3 Bottles of Whiskey for SSL on your News Org Website - Standing Offer

2013-12-11T12:42:00.001-08:00

https://twitter.com/csoghoian/status/410858495890583552

https://twitter.com/_mwc/status/410864015045193728

The original washingtonpost.com article :
News sites could protect your privacy with encryption. Here’s why they probably won’t.

-Michael Coates - @_mwc

Eliminate Application Attackers before Exploitation - Podcast OWASP AppSensor

2013-12-11T10:28:00.001-08:00

Podcast recorded at OWASP AppSecUSA on the AppSensor project.

-Michael Coates - @_mwc

Missed OWASP AppSecUSA? Videos Online Now

2013-12-08T18:24:00.000-08:00

OWASP AppSecUSA videos are now online here.
A quick wrap-up of AppSecUSA from Tom Brennan is posted here.
The whole catalog of owasp videos can be found here.

-Michael Coates - @_mwc

Let's Chat at OWASP AppSecUSA

2013-11-18T14:06:00.000-08:00

I'll be at OWASP AppSecUSA this week and am looking forward to all the great talks and activities. I'd also enjoy the opportunity to setup time to meet with others interested in security, web development, or just catching up.

Let's setup a time - Please send me an email at michael.coates@owasp.org or message me on twitter (@_mwc).

First drink is on me.

-Michael Coates - @_mwc

How Third Party Password Breaches Put Your Website at Risk

2013-11-18T12:46:00.002-08:00

Every website compromise and password breach puts your website at risk even if your business is completely unrelated to the compromised site.

Which major website was compromised this week? How many user details and passwords were stolen?

Over the past few weeks the news was littered with stories of Adobe's compromise of millions of user records, MacRumors theft of 860,000 username and passwords and the compromise of numerous user passwords at Vbulletin.com.

Attackers Data Mine Compromised Passwords

Every time a major password breach occurs the compromised emails addresses and passwords are available for hackers or criminal enterprises to download and analyze. Unfortunately, the breached companies often improperly protect their passwords and as a result it is easy for hackers to obtain the original password for each user. Attackers will collect and store these compromised credentials and then use this information to take over the user's account anywhere else on the web where the user has reused the username and password.

Account Take Over is Distributed and Automated via Botnets

Armed with millions of email addresses and passwords from the breached website, attackers use these credentials to programmatically attempt to login to websites all over the web. This activity is not conducted by a single individual sitting at their computer and manually entering usernames and passwords. Instead criminal enterprises will leverage scripts, automation, and botnets to distribute the attack across many computers all around the world. This automation allows the attacker to cover their tracks by initiating the login attempts from real machines all over the world.

This type of attack is known as credential stuffing also called account takeover

A real world example - How Facebook Is Protecting Their Users

Facebook was not compromised in any of these recent attacks; however, as a large target and an organization that is accurately aware of the risk of third party breaches, their security group took immediate action. Facebook mined the compromised data from the adobe breach to identify Facebook accounts that were potentially at risk. Facebook enabled additional security controls for any account within the adobe breach that used the same password on Facebook.

What You Can Do - Comparing Compromised Passwords with Your Web Applications Users Info

Here's how to check if users the password information within a data breach may put your users at risk. Note: This may not be realistic for an organization to perform due to the technical requirements and resources needed.

Obtain the compromised user data - Download a data dump of the compromised information. This may take some searching but the information is available online.
Determine the passwords associated with user email addresses - This step is straight password cracking. The work required will depend upon on the original method used by the website to protect their passwords. Unfortunately, in many cases the passwords are poorly protected with either encryption or a weak hash such as md5. The current best practice for password storage is bcrypt or PBKDF2. Read here to find out how sophos analyzed the adobe breach.
Test Your User Passwords - Next we need to compare the compromised data with your web application's usernames and passwords. Important, this step does not require you to view the passwords of your users. Instead, we'll simulate the login process in your application to validate if the compromised password from the breached website matches the user in your web application. Here are the steps:

Compare the usernames within the breached data (from step 1) with usernames in your web application. Note any matches. These are the accounts we want to test in your application.
Work with your development team to identify the authentication routine for your web application. This will include a step where the password provided by the user is hashed and then compared against your data store of usernames and hashed passwords
Build a script to perform the hash and database comparison. The purpose of using a script is to avoid having to manually interact with your website UX for each test.
Take the list of impacted usersnames (from step 3.1) and their actual passwords (from step 2) and run them through the script (from step 3.3). If a login is successful then we've identified a reused password that is at risk.

Protect your users - For any matches in step 3.4 you'll want to immediately take action to protect their account. This can include locking their account, forcing a password reset, or whatever actions are typically taken by your organization in the event of account takeover.

What You Can Do - Securely Store Your Passwords
Ensure you protect password data in your application by using an appropriate hashing algorithm. Approaches such as encryption, md5 hashing or any sort of home made manipulation are not sufficient. Instead you should use scrypt, bcrypt or PBKDF2. More information on password storage can be found at the OWASP Password Storage Cheat Sheet.

-Michael Coates - @_mwc

Support OWASP Outreach - Just a few moments today really helps

2013-11-15T09:33:00.004-08:00

OWASP is a worldwide nonprofit organization with a mission of making application security visible for all. In short, we're trying to make the world a better place by providing free security resources and communities.

If OWASP has helped you or your organization please consider supporting our nonprofit. Here are a few ways to help:

Support our ThunderCloud outreach effort for AppSecUSA. This is totally free.

If we reach 100 supporters ThunderCloud will send a single message via the supporters chosen option (facebook, twitter, etc). That's it and we can potentially reach 50k+ people. However, if we don't reach the minimum supports we get nothing.
https://www.thunderclap.it/projects/6403-hackers-hit-time-square-nyc

Attend OWASP AppSecUSA. The event is next week in NYC and will be the most concentrated group of application security professionals in the world. There is an amazing lineup of speakers and events
Support your local OWASP chapter. We have chapters in over 100 countries around the world. Find your local OWASP chapter here.
Consider supporting the OWASP foundation. We offer all of our resources, including owasp.org, for free. We'll be able to continue offering these great items as a result of our supporters.

-Michael Coates - @_mwc

DevBeat - Developer First Security Integrating Security into Development

2013-11-12T10:52:00.000-08:00

I presented to a great developer crowd today at VentureBeat's DevBeat conference in San Francisco. Here are the slides and a few pictures from the event.

-Michael Coates - @_mwc

Virtual Security Training Lab - Setup Instructions

2013-11-11T10:49:00.005-08:00

Below are the setup instructions to configure a virtual security training lab that runs within an isolated virtual machine. Using this lab you can perform hands on security testing that leverage a variety of prominent application security flaws including those mentioned in the OWASP Top 10.

The lab requires the following software (all free):

Virtual Environment

Virtual Box

Web Proxy

OWASP Zap

Security Testing Lab

OWASP Broken Web Apps (BWA) 
OWASP BWA includes the target software OWASP WebGoat

Java SE - May already be installed on your device . No specific version needed.

Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP from Michael Coates

-Michael Coates - @_mwc

OWASP Bay Area - Social Hour in San Francisco on 11/6

2013-10-31T11:47:00.000-07:00

The next OWASP Bay Area social hour is scheduled for Wednesday, November 6 in San Francisco hosted by Lending Club! Our fist social hour was well attended and people really enjoyed it. Please join us for our 2nd event in San Francisco.

RSVP Here:
http://owasp-bayarea.eventbrite.com/
(RSVP is needed to gauge attendance)

When:

Wednesday 11/6/13

5:30-7:30pm
Space and drinks will be provided by our event host Lending Club

Where:

Lending Club

Stevenson Place Building - 2nd Floor

71 Stevenson St

San Francisco, CA 94103

Parking/Travel

The office is near the Montgomery Bart/Muni station.

If driving, a parking garage is located at 123 O'Farrell St.

Street parking will be difficult.

The purpose of the OWASP social gathering is:

Informal security chat - the benefits of "hallway con" and security talk with others in the industry
Networking - meet other people in the field and industry
After work drinks - a nice break after a long work day

Note: These events won't have any formal presentations. They're meant to be social gatherings to meet others in the industry and chat about security. Check our quarterly OWASP Bay Area schedule for the security presentation events.

https://www.owasp.org/index.php/Bay_Area

Is your organization interested in hosting an OWASP social hour in the bay area (San Francisco, South Bay, East Bay)? Contact michael.coates@owasp.org

-Michael Coates - @_mwc

Scaling Web Security - JavaOne Security Talk

2013-09-26T17:50:00.004-07:00

This week I spoke at JavaOne on scaling web security programs. It was a great event and I enjoyed the chance to speak to a great crowd of developers and security individuals.

Presentation below. Enjoy.

2013 michael coates-javaone from Michael Coates

-Michael Coates - @_mwc

Moderated Application Security News Feed from OWASP

2013-09-24T21:31:00.001-07:00

OWASP's moderated application security news feed has returned! We have a new RSS link so please

update your RSS readers with the new information.

The Feed: http://feeds.feedblitz.com/OWASP
Syndicated on twitter: @OWASP_feed

Know of a good application security blog that should be included? Please submit it for consideration here. Lastly, OWASP is free and open so if you're curious how the AppSecNews feed is run then check out the details here.

Many thanks to Jeff Williams for running the AppSecNews feed for the first 8 years. Thanks also to Jim Manico and Sarah Baso for investigating various platforms to restart the new AppSecNews feed!

-Michael Coates - @_mwc

Security Capabilities Comparison (HSTS & CSP) for Mobile & Desktop Browsers

2013-09-18T03:00:00.002-07:00

Compliments of the great website caniuse.com

Mobile Comparison

Strict Transport Security

Content Security Policy

Desktop Comparison

Strict Transport Security

Content Security Policy

-Michael Coates - @_mwc

OWASP Bay Area - Social Hour in Mountain View on 9/25

2013-09-17T02:45:00.001-07:00

Our first Bay Area OWASP social hour(s) will be in Mountain View on Wednesday, September 25th and will be hosted by Shape Security.

The event starts at 5:30pm. Swing by for an after work drink or join us when that last late day meeting ends.

https://owasp-bayarea.eventbrite.com/
Please RSVP so we can gauge attendance

The purpose of the OWASP social gathering is:
- informal security chat - the benefits of "hallway con" and security talk with others in the industry
- networking - meet other people in the field and industry
- a nice break after a long work day

https://www.owasp.org/index.php/Bay_Area

Is your organization interested in hosting an OWASP social hour in the bay area (San Francisco, South Bay, East Bay)? Contact michael.coates@owasp.org

-Michael Coates - @_mwc

OWASP Framework Security Project

2013-09-04T02:00:00.000-07:00

The most effective way to bring security capabilities to developers is to have them built into the framework.

With the above goal I've started the OWASP Framework Security Project.

Get Involved
Please join the mailing list or jump in and start contributing to the wiki

What is the OWASP Framework Security Project?
The OWASP Framework Security Project focuses on understanding missing security controls within popular frameworks, and coordinating with developers and the framework leaders to effectively integrate the missing security controls. This project requires the collaboration between security experts, security minded developers, and framework developers and leaders. The primary deliverable of this project is source code that is accepted into frameworks. The OWASP Framework Security Project will maintain documentation to indicate with security controls have been accepted, and links to code and documentation at each framework.

Needs

Framework Developers - We need your help to build the security controls that will get accepted upstream into the framework. You have the best knowledge on development practices, code style, and knowledge of the framework to get new code accepted.

Security Professionals - We need you to help research and catalog available security controls in various frameworks. Our goal is to produce and clear matrix of available and missing security controls by framework.

Framework Leaders - Do you lead a key portion of a framework? Let's work together to understand the best way to get new security controls added.

-Michael Coates - @_mwc