[Owasp-guide] Getting Started (again)

Ken Owen kenowen at eowen.com
Wed May 5 15:52:52 EDT 2010 

Mike

I have written a new page, however, the wiki will not accept my update. 
It says:

> While you were viewing or updating GettingStarted_InjectingSecurity_1, another user submitted an update to it. That user's update has already taken effect. Your update cannot be saved because your changes could overwrite the other user's changes.
> 
> Note: if you have been viewing and updating GettingStarted_InjectingSecurity_1 in multiple browser windows or tabs, it is possible that the "other user" is actually yourself.

I was the last person to update the page (yesterday). There are no other 
browser windows and my machine has been shut down twice since the 
update. Perhaps it has something to do with the read-only status/update 
by google this morning (7:30 AM PST).

To move things along, the copy that I was trying to post is below:

Identifying Key Business Risks

Does this application pose any risk to corporate reputation, corporate 
relationships with partners, vendors and regulators, proprietary 
planning or corporate data? How does your application expose you to 
these risks? Enumerate the specific risks associated with each component 
in the application, and given the risk level, is it necessary to the 
application? At this point, components are just descriptions of 
necessary parts of the application written in layman's terms to be 
understood by all participants.

This discussion should include all stake holders, not just developers 
and IT, to get a well-rounded perspective before dealing with the 
technology aspect. To start:
   # identify stake holders
   # brainstorm
   # aggregate perceived risks
   # evaluate risk/reward profile for the application

With the component list complete, calculate the ASVS level of security 
needed for each.
[http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project 
ASVS (OWASP Application Security Verification Standard)] provides 
provides a basis for testing application technical security controls, as 
well as any technical security controls in the environment, that are 
relied on to protect against vulnerabilities.

Whenever the site is working properly again, I'll post it.

Ken

Boberski, Michael [USA] wrote:
> Hi Ken, thanks for sticking with this.
> 
> The rule of thumb should be that each of the getting started section pages should fill up all the whitespace on the page when one browses to it, if there's not that much, it's likely not enough detail.
> 
> While I personally usually abhor such direction, in certain circumstances (such as this one) can serve a purpose. For example, let's look at "Identifying Key Business Risks".
> 
>  * First, the title, why is it not "Identifying Key Business Risks".
>  * What are "business risks"?
>  * What are "competitive factors"?
>  * What are "market changes"?
>  * What are "risks" that "applications expose you to"?
>  * What's "ASVS"?
>  * What's an "ASVS level"?
>  * What is a "function in the application"?
>  * Etc. Definitions!
>  * Where is a description of a process? Are those four bullets steps? Why aren't they numbered? What's involved in each step?
>  * Etc. Guide! Provide process! It's a guide!
> 
> I find it sometimes helpful to pretend to help like you're verbally talking to someone, and just start writing in that fashion, doubling back to break things up, to make things a little more formal/structured.
> 
> Think in terms of paragraphs, process, explanations to audiences who are not experts in application security. The guide has to be understandable by non-appsec experts who can code.
> 
> HTH. Perhaps let's stick with "Identifying Key Business Risks" and work on that section for a few iterations, with the above in mind.
> 
> Thanks for sticking with this, as well.
> 
> Best,
> 
> Mike B.
> 
> -----Original Message-----
> From: Ken Owen [mailto:kenowen at eowen.com] 
> Sent: Monday, May 03, 2010 5:24 PM
> To: Boberski, Michael [USA]
> Cc: owasp-guide-bounces at lists.owasp.org
> Subject: Getting Started (again)
> 
> Mike
> 
> I took another try at this sections. I wrote the main page without the 
> check lists. The design considerations page is still a bulleted list. 
> The four page under that have several sentences of description, and 
> three have links to the appropriate OWASP pages.
> 
> If this is OK, I'll go on to the security controls section.
> 
> Ken
> 
> 

-- 
Ken Owen
Edward Owen Company
Box 407
Granby, CT 06035-0407
Phone: 860.653.6258 x12
Fax: 860.653.6349
email: kenowen at eowen.com

More information about the Owasp-guide mailing list