Boberski, Michael [USA]
boberski_michael at bah.com
Wed Mar 31 08:23:08 EDT 2010
I'm not sure a lot of this stuff is intuitively obvious to developers who don't do this stuff for a living, I think it's important to be methodical about building out the sections. Check out the level of detail in e.g. the so-called OWASP "cheat sheets", maybe see what I mean, they're several pages not one line that says "just escape it".
Yes, to simplify and to be clear, everyone needs to stick with ASVS as-is for a first draft. Then you'll have a basis for arguing for changes or enhancements. There's too much to do to start going off-road.
From: Theo Van Niekerk [mailto:theovn.list at gmail.com]
Sent: Tuesday, March 30, 2010 5:20 PM
To: Boberski, Michael [USA]
Cc: owasp-guide at lists.owasp.org; Abe
Subject: Re: [Owasp-guide] progress
It seems like you want to cover quite a lot of detail in each sheet?
Please correct me if I underestimate the task at hand, but I imagined a single but comprehensive worksheet for each of the ASVS items.
I guess I just want to save some paper! For example, once the developer has identified data outputs (all outputs should be untrusted), the appropriate control should be identified and applied. One could put that on the same or separate sheets. Anyway its late here in ZA. I'll think a but it some more.
It will probably become more clear when the details get filled in.
By the way, do we stick with the ASVS items as if they are cast in stone, or will we adapt and expand later on?
On 30 Mar 2010, at 21:41, Boberski, Michael [USA] wrote:
> Hi Theo. Some quick initial comments:
> TOC has broken links;
> Worksheets should go on separate wiki pages, e.g.:
> +-- OWASP-060x-DG-xx
> +---- Output encoding/escaping worksheet <-- put link to Word template on this page
> To help get started on parsing requirements into sections, for 0601, I'd minimally start with something like:
> +-- OWASP-0601-DG-01 Identify untrusted HTML data outputs
> +---- Output encoding/escaping worksheet
> +-- OWASP-0601-DG-02 Escape untrusted HTML data outputs
> +---- Build or buy? Security control security check/effect checklist
> +---- Where to use? Solution stack checklist
> +---- How to use? Development team checklist
> +---- See also
> Mike B.
> -----Original Message-----
> From: owasp-guide-bounces at lists.owasp.org [mailto:owasp-guide-bounces at lists.owasp.org] On Behalf Of Theo Van Niekerk
> Sent: Tuesday, March 30, 2010 3:12 PM
> To: owasp-guide at lists.owasp.org
> Cc: Abe
> Subject: [Owasp-guide] progress
> Hi Mike
> I've created the ASVS 6.1 - 6.10 sections on the Wiki. And have committed some worksheets.
> Please see that I'm on the right track.
> Theo van Niekerk
> theovn at gmail.com
> Owasp-guide mailing list
> Owasp-guide at lists.owasp.org
More information about the Owasp-guide