[Owasp-board] new OWASP book? "OWASP Attacks Reference Guide 2007"
jeff.williams at owasp.org
Thu Dec 27 18:13:39 UTC 2007
> 1) When In January I should delivered the book?
> 2) Should I add only complete articles??
I think this should be as soon as possible. Dinis will have to share the
procedure for making a PDF from the Wiki. I think we should include ALL the
articles, and that we should call this an "alpha" or "beta" or "working
draft" or something.
> Once I got it, I'll outline the sections that an article of a category
> EG: An attack article should have those sections: Description, Severity,
likelihood of exploitation, examples,
> references, related threats, vulnerabilities, attacks and
I agree with this completely. I think each type of article (threat agent,
attack, vulnerability, etc..) will have slightly different sections. I have
some specific ideas about "severity" and "likelihood" - I'd like to get them
consistent with the OWASP Risk Rating Methodology in the Testing Guide.
Threat Agents, Attacks, and Vulnerabilities have likelihood attributes.
Countermeasures have a difficulty to implement. And Technical and Business
impact have impact attributes. Only taken together can you assemble the
"severity" of a risk. It makes absolutely no sense to talk about the
severity of an attack or vulnerability with no context. That's what the
scanner and static analysis tools try to do, but it's ridiculous. For
example, is SQL injection critical? Not if it's a read only database table
with non-sensitive information in it.
> According to Jeff, we are still missing the "related agent", "technical
impact" and "business impact" sections, right?
> Then, I think we should remove Severity and likelihood of exploitation
sections and create a common outline for all reference articles based on the
above.. All article will have the same sections no matter which global
category it belongs to.
3) Do you think a general outline fit all articles requirements?
Can you put together a standard outline for each of the article types in the
Honeycomb? Then we can discuss. I don't think ANY of them should have a
severity section. Just likelihood factors or impact factors. I think the
rest of the proposed sections are okay. The related articles are
interesting. I would expect that a threat agent article would link to the
articles on the set of attacks that they are capable of executing. The
attacks would link back to the threat agents, and forwards to the
vulnerabilities that the attack targets. The vulnerabilities would link
back to the vulnerabilities, and forward to the countermeasures involved and
the technical impacts. The countermeasures would link back to
vulnerabilities and also to technical impacts. The technical impacts would
link back to vulnerabilities and countermeasures, and forward to business
impacts. The business impacts would link back to related technical impacts.
Observe that if I outline the sections after compiling the book, we'll have
different sections even for articles of the same category (except by attack
category that Rezos and me normalized for SPoC). However, it's not feasible
to review sections for all completed articles and compile the book for
4) How should I proceed: 1- Outline sections and make call for volunteers or
2- Compile the book with online content and make CFV in the end of January?
Ah - now I understand. I think we should organize the outline first and do
a quick organization of the articles we have. Then publish and call for
volunteers. Even if this means we have to push out the first published
version. Otherwise, we'll just print crap and get all the volunteers
confused about what they're supposed to be doing.
I don't want to be narrow-minded with those long emails, but just get things
clear enough so we avoid future headaches and unneeded discussions.
Please keep it up and push this along. This is exactly what this project
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board