[Owasp-guide] progress

Tom Stripling tstripling at appsecconsulting.com
Wed Mar 31 18:27:09 EDT 2010


Ok, so my understanding is that you want a worksheet for every ASVS item.
Please correct me if I'm wrong.

I think I need more guidance on how to create something more than a one-line
worksheet for some of the ASVS items under Input Validation.  Here are some
examples of what I mean:

OWASP-0503 Verify that all input validation failures result in input
rejection or input sanitization
OWASP-0505 Verify that all input validation is performed on the server side

OWASP-0505 in particular is sort of a "don't do anything stupid" requirement
instead of something that would require its own worksheet.  I feel like
creating an entire worksheet for something like this would make the guide
more cumbersome than useful.

I'd like to include these requirements in other worksheets where they fit
instead of creating new worksheets for each item.  Thoughts?

-----Original Message-----
From: owasp-guide-bounces at lists.owasp.org
[mailto:owasp-guide-bounces at lists.owasp.org] On Behalf Of Boberski, Michael
[USA]
Sent: Wednesday, March 31, 2010 7:23 AM
To: Theo Van Niekerk
Cc: owasp-guide at lists.owasp.org; Abe
Subject: Re: [Owasp-guide] progress

I'm not sure a lot of this stuff is intuitively obvious to developers who
don't do this stuff for a living, I think it's important to be methodical
about building out the sections. Check out the level of detail in e.g. the
so-called OWASP "cheat sheets", maybe see what I mean, they're several pages
not one line that says "just escape it".

Yes, to simplify and to be clear, everyone needs to stick with ASVS as-is
for a first draft. Then you'll have a basis for arguing for changes or
enhancements. There's too much to do to start going off-road.

Best,

Mike B.

-----Original Message-----
From: Theo Van Niekerk [mailto:theovn.list at gmail.com] 
Sent: Tuesday, March 30, 2010 5:20 PM
To: Boberski, Michael [USA]
Cc: owasp-guide at lists.owasp.org; Abe
Subject: Re: [Owasp-guide] progress

Thanks Mike

It seems like you want to cover quite a lot of detail in each sheet?
Please correct me if I underestimate the task at hand, but I imagined a
single but comprehensive worksheet for each of the ASVS items.
I guess I just want to save some paper! For example, once the developer has
identified data outputs (all outputs should be untrusted), the appropriate
control should be identified and applied. One could put that on the same or
separate sheets. Anyway its late here in ZA. I'll think a but it some more.
It will probably become more clear when the details get filled in.

By the way, do we stick with the ASVS items as if they are cast in stone, or
will we adapt and expand later on?

Cheers
Theo
On 30 Mar 2010, at 21:41, Boberski, Michael [USA] wrote:

> Hi Theo. Some quick initial comments:
> 
> TOC has broken links;
> 
> Worksheets should go on separate wiki pages, e.g.:
> 
> OWASP-060x
> +-- OWASP-060x-DG-xx
> +---- Output encoding/escaping worksheet <-- put link to Word template on
this page
> 
> To help get started on parsing requirements into sections, for 0601, I'd
minimally start with something like:
> 
> OWASP-0601 Verify that all untrusted data that are output to HTML
(including HTML elements, HTML attributes, javascript data values, CSS
blocks, and URI attributes) are properly escaped for the applicable context.
> +-- OWASP-0601-DG-01 Identify untrusted HTML data outputs
> +---- Output encoding/escaping worksheet
> +-- OWASP-0601-DG-02 Escape untrusted HTML data outputs
> +---- Build or buy? Security control security check/effect checklist
> +---- Where to use? Solution stack checklist
> +---- How to use? Development team checklist
> +---- See also
> 
> 
> Best,
> 
> Mike B.
> 
> 
> -----Original Message-----
> From: owasp-guide-bounces at lists.owasp.org
[mailto:owasp-guide-bounces at lists.owasp.org] On Behalf Of Theo Van Niekerk
> Sent: Tuesday, March 30, 2010 3:12 PM
> To: owasp-guide at lists.owasp.org
> Cc: Abe
> Subject: [Owasp-guide] progress
> 
> Hi Mike
> 
> 
> I've created the ASVS 6.1 - 6.10 sections on the Wiki. And have committed
some worksheets.
> Please see that I'm on the right track.
> 
> 
> Regards
> Theo
> --
> Theo van Niekerk
> theovn at gmail.com
> _______________________________________________
> Owasp-guide mailing list
> Owasp-guide at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-guide

_______________________________________________
Owasp-guide mailing list
Owasp-guide at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-guide



More information about the Owasp-guide mailing list