[Owasp-board] new OWASP book? "OWASP Attacks Reference Guide 2007"

Jeff Williams jeff.williams at owasp.org
Wed Dec 26 19:08:55 UTC 2007


I don't mind issuing an "alpha" version now.  Actually, that would be a good
way to test out the process of going from wiki-to-PDF.  Can you share the
process you're using for the other books?

--Jeff

-----Original Message-----
From: Dinis Cruz [mailto:dinis at ddplus.net] 
Sent: Wednesday, December 26, 2007 12:47 PM
To: jeff.williams at owasp.org
Cc: Leonardo Cavallari Militelli; OWASP Board; Paulo Coimbra
Subject: Re: new OWASP book? "OWASP Attacks Reference Guide 2007"

Agreed with the hard date, so we would have two 'books' from Leonardo:

- one in Jan (with what is there already)
- one on the 1st of April (with the changes made during this project)

Dinis

On 12/26/07, Jeff Williams <jeff.williams at owasp.org> wrote:
> I was hoping to use the date of April 1 to drive people to contribute. It
> really helps get people focused if we have a hard publication date.  Ok?
>
> --Jeff
>
> -----Original Message-----
> From: Dinis Cruz [mailto:dinis at ddplus.net]
> Sent: Wednesday, December 26, 2007 11:43 AM
> To: jeff.williams at owasp.org
> Cc: Leonardo Cavallari Militelli; OWASP Board; Paulo Coimbra
> Subject: Re: new OWASP book? "OWASP Attacks Reference Guide 2007"
>
> All I would add to Jeff's comment is that I would like to have a
> 'book' with what exists today (to be printed in January).
>
> This would be a word document (in the OWASP doc format used in the
> Testing Guide) containing a copy and paste all articles that will be
> targeted by this project.
>
> The only thing to add would be an information about your project and a
> request for contributions (this would be on the 1st page).
>
> The next version of the book would be published by the 1st of April
> (containing the updated materials)
>
> Is that OK?
>
> Dinis Cruz
> Chief OWASP Evangelist
> http://www.owasp.org
>
>
> On 12/26/07, Jeff Williams <jeff.williams at owasp.org> wrote:
> >
> >
> >
> >
> > Hi Leonardo,
> >
> >
> >
> > I must have missed your message on the 13th.  My only real goal for the
> > April 1 deadline is to have a printable book that documents all the
> > "foundation" elements for application security.  We need a reference
that
> > captures not just attacks (WASC threat thing) or vulnerabilities (CWE)
but
> > threat agents, countermeasures, technical impacts, and common business
> > impacts.
> >
> >
> >
> > My vision is that every risk must have

> >
> >
> >
> > A threat agent using an attack targeting a vulnerability (a missing or
> > broken countermeasure) that results in a technical impact and ultimately
> > causes a business impact.
> >
> >
> >
> > So we need a reference guide that has these things all defined and
> > interlinked. Not all threat agents can launch all attacks, not all
attacks
> > work on all vulnerabilities, etc

> >
> >
> >
> > Let's get it started!!!  Send out the call for volunteers right away.
But
> > instead of a general request, I think we need to be specific.  Like put
an
> > outline of all the articles and ask for volunteers to take
responsibility
> > for parts of the outline.  We can use this to track progress in a wiki
> page.
> >  E.g.
> >
> >
> >
> > Threat Agents
> >
> > -        X
> >
> > -        Y
> >
> > -        Z
> >
> > Attacks
> >
> > -        X
> >
> > -        Y
> >
> > -        Z
> >
> > Vulnerabilities
> >
> > -        Category A  (assigned to Steve Jobs) (done)
> >
> > -        Category B  (assigned to Steve McQueen)
> >
> > -        Category C
> >
> > Countermeasures
> >
> > -        X
> >
> > -        Y
> >
> > -        Z
> >
> > Etc

> >
> >
> >
> > --Jeff
> >
> >
> >
> >
> > From: Leonardo Cavallari Militelli [mailto:leonardocavallari at gmail.com]
> >  Sent: Wednesday, December 26, 2007 7:32 AM
> >  To: Dinis Cruz
> >  Cc: Jeff Williams; OWASP Board; Paulo Coimbra
> >
> >  Subject: Re: new OWASP book? "OWASP Attacks Reference Guide 2007"
> >
> >
> >
> >
> > Hello guys!
> >
> >  Any updates or "internal messages" regarding this project? :)
> >
> >  I hope all of you had a nice Xmas and wish all the best for 2008!
> >
> >  Leo Cavallari
> >
> >
> >
> >
> >
> > On Dec 13, 2007 4:28 PM, Leonardo Cavallari Militelli
> > <leonardocavallari at gmail.com> wrote:
> >
> > Hello Dinis/Jeff,
> >
> >  I'm really excited with the idea of creating a Honeycomb book and I'm
> happy
> > with your news.
> >  As I said before, I felt that OWASP missed the integration of all
> > references guide and I believe we can handle this project.
> >
> >  However, I'm not quite sure of what you are expecting from me and I'd
> like
> > let things clever before I start this project, since the Honeycomb
project
> > has around 600 articles. Of course, there are some redundant, but lots
> more
> > of stubs and incomplete articles.
> >
> >  This way, I believe the following activities can be reached till April
> 1st.
> >  1) Review the articles in order to create a list of what really need to
> be
> > done, by:
> >
> >
> > redundant articles
> > stub/incomplete/empty articles
> > completed or small review needs
> >
> > 2) Define templates for each category (threats, attacks,
vulnerabilities,
> > and countermeasures) based on CLASP. I think it's needed to add some
> > "related ..." section on CLASP template.
> >  3) Review and define the categories/sub-categories for HoneyComb. I
think
> > we'll need to have some discussions on this.
> >
> >  At this moment, I believe we should put out a Call for Volunteers in
> order
> > to help review, revise, update, add, delete, categorize, and organize
the
> > information (Jeff words.. :) ) all the remaining articles of stage 1.
> >
> >  4) As articles start to be delivered, I compile them into the "bible
> under
> > revision doc" and share the document with revisors.Once its finished,
> we'll
> > have the first early edition of the Bible on April 1st.
> >
> >  I think all this is reasonable, however I cannot foresee the amount of
> > efforts needed, problems and barriers that I can encounter thru the
> project.
> > In addition, it's difficult to state what we can delivery until
deadline,
> > mostly because we'll depend on volunteers engagement.
> >
> >  What do you think about it? Is that it you were expecting for this
> project?
> >
> >  I got some tiny doubts that I like to share, but we should discuss them
> on
> > the appropriate moment.
> >
> >  Shall we work it out?? :)
> >
> >  All the best,
> >  Leo
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > On Dec 12, 2007 10:46 PM, Dinis Cruz <dinis at ddplus.net> wrote:
> >
> > Sorry for delay in responding to your emails
> >
> >
> >
> >
> >
> > We actually had a couple internal threads following your email, but
> somehow
> > we missed the bit where you told you about our thoughts  :(
> >
> >
> >
> >
> >
> > As Jeff responded, we love your idea and following your successful
> > participation in SpoC we can moveforward a bit quicker, and offer you a
> > 5,000 sponsorship (instead of you having to apply to the next initiative
> > (WoC - Winter of Code 08)).
> >
> >
> >
> >
> >
> > Regarding publishing, I would like to do this in multiple stages, with a
> > first version (i.e. book) created asap with the relevant contents from
the
> > OWASP website as they exist today (basically what is there now).
> >
> >
> >
> >
> >
> > This 'book' would already a great asset, but also would be used by the
> > project contributors during their review process (for example I much
> prefer
> > to review text on a book than on a screen).
> >
> >
> >
> >
> >
> > Back to your project: The idea would be to normalize (i.e. 'clean') all
> that
> > information that is out there, and add new material where necessary (see
> the
> > Honeycomb project)
> >
> >
> >
> >
> >
> > Moving forward, what we need from you is a project plan where you commit
> to
> > what you can deliver by the 1st of April.
> >
> >
> >
> >
> >
> > Thanks for your energy :)  and sorry again for this delay.
> >
> >
> >
> >
> >
> > Dinis
> >
> >
> >
> >
> >
> >
> >
> > On 12/12/07, Jeff Williams <jeff.williams at owasp.org> wrote:
> >
> >
> >
> > Hi Leonardo,
> >
> >
> >
> > We all think this is a fantastic idea.  Actually I'm upset I didn't
think
> to
> > publish this a long time ago.  But I'd like to expand the scope of the
> > project beyond just attacks.  I'd like to publish the whole Honeycomb
> > project in a kind of "encyclopedia" of application security.  I'd like
to
> > set a date and put out a call for volunteers to help review, revise,
> update,
> > add, delete, categorize, and organize the information.
> >
> >
> >
> > If you want to just take on the attacks part and get that published as a
> > book – please work with Dinis on that.  If you're willing to take on the
> > bigger project and help us get the whole encyclopedia created, we're
> willing
> > to fund that effort with a $5,000 grant.  This project would involve
> setting
> > some standards, recruiting people to take responsibility for parts of
the
> > document, and managing it to completion by some date, say April 1.
> >
> >
> >
> > Thanks – and please let us know what you'd like to do.
> >
> >
> >
> > --Jeff
> >
> >
> >
> >
> > From: Leonardo Cavallari Militelli [mailto:leonardocavallari at gmail.com]
> >  Sent: Tuesday, December 11, 2007 11:34 AM
> >  To: jeff.williams at owasp.org
> >  Cc: Przemyslaw Skowron; Dinis Cruz
> >  Subject: Re: new OWASP book? "OWASP Attacks Reference Guide 2007"
> >
> >
> >
> >
> > Hello Jeff and Dinis,
> >
> >  Busy time, hã?! :)
> >
> >  Can we have any details regarding the following ideas?
> >  We are really willing to put all that in practice.
> >
> >  Best wishes,
> >  Leo
> >
> >
> > On Nov 30, 2007 9:35 AM, Leonardo Cavallari Militelli
> > <leonardocavallari at gmail.com> wrote:
> >
> > Hello all,
> >
> >  In addition, while I was developing the attack guide I realize that
there
> > are poor integration of the guides (threats, attacks, vulnerabilities
and
> > countermeasure) and I was waiting just the end of SPOC and OWASP
> conferences
> > to propose a new project regarding the reviewing,  organization and
> > integration of them.
> >
> >  Of course, it won't be possible to us be on charge of
> developing/describing
> > all items in the guide, so the idea is to create a to-do list and call
> OWASP
> > members to contribute in order to get it done quickly. Then we could
> review
> > the contents and compile "the bible"! :)
> >
> >  Jeff and Dinis, let us know your thoughts!
> >
> >  Cheers,
> >  Leo
> >
> >
> >
> >
> >
> >
> > On Nov 30, 2007 2:57 AM, Jeff Williams < jeff.williams at owasp.org> wrote:
> >
> > Dinis,
> >
> >  I think this is a ridiculously good idea. Actually I think we could
> expand
> >  it to cover threats, attacks, and vulnerabilities.  It would be great
to
> >  stir up some interest on the lists by setting a publication date.
> >
> >  I'd like to help, but I don't know all the details of getting the books
> >  produced. Dinis - what are the steps that have to be done before
> > production?
> >
> >  Great idea guys!
> >
> >  --Jeff
> >
> >
> >
> >
> >  -----Original Message-----
> >  From: Przemyslaw Skowron [mailto:przemyslaw.skowron at gmail.com]
> >  Sent: Thursday, November 29, 2007 5:29 PM
> >  To: owasp at owasp.org
> >  Cc: Leonardo Cavallari Militelli
> >  Subject: new OWASP book? "OWASP Attacks Reference Guide 2007"
> >
> >  Dear Madam/Sir,
> >
> >  We saw on the lulu.com a web page dedicated to OWASP's books
> >  (http://stores.lulu.com/owasp). We are wondering if it's possible to
> >  publish a guide titled "OWASP Attacks Reference Guide 2007" ?
> >
> >  The content of this guide would include our work, which we have done
> >  during the Spring of Code 2007. Detailed information about the project
> >  you may find here -
> >
>
https://www.owasp.org/index.php/SpoC_007_-_Attacks_Reference_Guide_-_Progres
> >  s_Page
> >  .
> >
> >   In addition the content would be formated simmilarly to the  "OWASP
> >  Code Review - 2007 (RC1)" (http://www.lulu.com/content /1415989 ). It
> >  wouldn't be the wiki format for sure.
> >
> >  Of course we don't have any wage expectations. The only thing we ask
> >  for, is OWASP permission to publish the guide and to provide us with
> >  template, e.g . OWASP Code Review 2007 (RC1)) :-)
> >
> >  Best regards,
> >  Leonardo Cavallari Militell and Przemyslaw 'rezos' Skowron.
> >
> >  --
> >  Przemyslaw Skowron, <przemyslaw.skowron {at} gmail.com>
> >  Blog: http://pskowron.blogspot.com (Polish)
> >  Linkedin: http://www.linkedin.com/in /pskowron
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
>
>
>





More information about the Owasp-board mailing list