[Owasp-leaders] [Owasp-guide] cheat sheets and the development guide
Boberski, Michael [USA]
boberski_michael at bah.com
Wed Mar 31 14:11:39 EDT 2010
I would propose putting it here, with a note about proposing its inclusion in ASVS and across future guides:
The glossaries across docs should be the same. This next rev of the dev guide will undoubtedly prompt changes to ASVS, this would be an example of a change to its copy of a glossary.
I would like to see the next rev of ASVS driven by next revs of the development and other guides, it's a pretty good argument for change if there's a chapter of explanation about something, but that is something the ASVS project has not explored yet in great detail.
From: owasp-guide-bounces at lists.owasp.org [mailto:owasp-guide-bounces at lists.owasp.org] On Behalf Of Kevin W. Wall
Sent: Wednesday, March 31, 2010 1:16 PM
Cc: owasp-guide at lists.owasp.org; mike.boberski at gmail.com; Ryan Barnett; owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-guide] [Owasp-leaders] cheat sheets and the development guide
> Thanks Ryan, Kevin, Mike
> I thought we might of had an "OWASP definition" of Reverse BF seen as we
> should be testing for it, providing detective & preventative measures etc.
> Standardised definitions are useful in terms of people learning what an
> issue is regardless of if it relates to code dev, test, review or
> deployment. It would be good to develop an OWASP dictionary/ thesaurus, such
> like the oxford dictionary for English.
> Would this assist in people mixing up CSRF and XSS :0) and stuff like that?
> Robust defs for issues may also help define a consistent methodology in
> testing for such issues or coding against them?
> who knows?
The ASVS has a glossary associated with it. (See
There are other OWASP glossaries elsewhere as well (e.g., see
<http://www.owasp.org/index.php/Glossary>, there may be others). I've
not checked to see if any of them define this term or not.
Given that Mike seems to wish to leave the ASVS unchanged at this point,
I'm not sure where it should go. However the logical place for would seem
to be the ASVS glossary as that is what is supposed to be what is driving
the OWASP Dev Guide, but I supposed it could go with the main OWASP glossary
too, at <http://www.owasp.org/index.php/Glossary>.
I'd suggest that you (Eoin) take a crack at writing up an official OWASP
definition and them submit it to Mike Boberski and he can decide where
is should be added. Mike, are you OK with that?
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents." -- Nathaniel Borenstein, co-creator of MIME
Owasp-guide mailing list
Owasp-guide at lists.owasp.org
More information about the OWASP-Leaders