[Owasp-board] new OWASP book? "OWASP Attacks Reference Guide 2007"

Jeff Williams jeff.williams at owasp.org
Wed Dec 26 16:12:31 UTC 2007

Hi Leonardo,


I must have missed your message on the 13th.  My only real goal for the
April 1 deadline is to have a printable book that documents all the
“foundation” elements for application security.  We need a reference that
captures not just attacks (WASC threat thing) or vulnerabilities (CWE) but
threat agents, countermeasures, technical impacts, and common business


My vision is that every risk must have


A threat agent using an attack targeting a vulnerability (a missing or
broken countermeasure) that results in a technical impact and ultimately
causes a business impact.


So we need a reference guide that has these things all defined and
interlinked. Not all threat agents can launch all attacks, not all attacks
work on all vulnerabilities, etc


Let’s get it started!!!  Send out the call for volunteers right away.  But
instead of a general request, I think we need to be specific.  Like put an
outline of all the articles and ask for volunteers to take responsibility
for parts of the outline.  We can use this to track progress in a wiki page.


Threat Agents

-        X

-        Y

-        Z


-        X

-        Y

-        Z


-        Category A  (assigned to Steve Jobs) (done)

-        Category B  (assigned to Steve McQueen)

-        Category C


-        X

-        Y

-        Z





From: Leonardo Cavallari Militelli [mailto:leonardocavallari at gmail.com] 
Sent: Wednesday, December 26, 2007 7:32 AM
To: Dinis Cruz
Cc: Jeff Williams; OWASP Board; Paulo Coimbra
Subject: Re: new OWASP book? "OWASP Attacks Reference Guide 2007"


Hello guys!

Any updates or "internal messages" regarding this project? :)

I hope all of you had a nice Xmas and wish all the best for 2008!

Leo Cavallari

On Dec 13, 2007 4:28 PM, Leonardo Cavallari Militelli
<leonardocavallari at gmail.com> wrote:

Hello Dinis/Jeff,

I'm really excited with the idea of creating a Honeycomb book and I'm happy
with your news.
As I said before, I felt that OWASP missed the integration of all references
guide and I believe we can handle this project. 

However, I'm not quite sure of what you are expecting from me and I'd like
let things clever before I start this project, since the Honeycomb project
has around 600 articles. Of course, there are some redundant, but lots more
of stubs and incomplete articles. 

This way, I believe the following activities can be reached till April 1st.
1) Review the articles in order to create a list of what really need to be
done, by: 

*	redundant articles 
*	stub/incomplete/empty articles
*	completed or small review needs

2) Define templates for each category (threats, attacks, vulnerabilities,
and countermeasures) based on CLASP. I think it's needed to add some
"related ..." section on CLASP template. 
3) Review and define the categories/sub-categories for HoneyComb. I think
we'll need to have some discussions on this.

At this moment, I believe we should put out a Call for Volunteers in order
to help review, revise, update, add, delete, categorize, and organize the
information (Jeff words.. :) ) all the remaining articles of stage 1. 

4) As articles start to be delivered, I compile them into the "bible under
revision doc" and share the document with revisors.Once its finished, we'll
have the first early edition of the Bible on April 1st.

I think all this is reasonable, however I cannot foresee the amount of
efforts needed, problems and barriers that I can encounter thru the project.
In addition, it's difficult to state what we can delivery until deadline,
mostly because we'll depend on volunteers engagement. 

What do you think about it? Is that it you were expecting for this project?

I got some tiny doubts that I like to share, but we should discuss them on
the appropriate moment.

Shall we work it out?? :) 

All the best,

On Dec 12, 2007 10:46 PM, Dinis Cruz <dinis at ddplus.net> wrote: 

Sorry for delay in responding to your emails


We actually had a couple internal threads following your email, but somehow
we missed the bit where you told you about our thoughts  :( 


As Jeff responded, we love your idea and following your successful
participation in SpoC we can moveforward a bit quicker, and offer you a
5,000 sponsorship (instead of you having to apply to the next initiative
(WoC - Winter of Code 08)). 


Regarding publishing, I would like to do this in multiple stages, with a
first version (i.e. book) created asap with the relevant contents from the
OWASP website as they exist today (basically what is there now).  


This 'book' would already a great asset, but also would be used by the
project contributors during their review process (for example I much prefer
to review text on a book than on a screen). 


Back to your project: The idea would be to normalize (i.e. 'clean') all that
information that is out there, and add new material where necessary (see the
Honeycomb project) 


Moving forward, what we need from you is a project plan where you commit to
what you can deliver by the 1st of April.


Thanks for your energy :)  and sorry again for this delay. 




On 12/12/07, Jeff Williams <jeff.williams at owasp.org> wrote:

Hi Leonardo,


We all think this is a fantastic idea.  Actually I'm upset I didn't think to
publish this a long time ago.  But I'd like to expand the scope of the
project beyond just attacks.  I'd like to publish the whole Honeycomb
project in a kind of "encyclopedia" of application security.  I'd like to
set a date and put out a call for volunteers to help review, revise, update,
add, delete, categorize, and organize the information.


If you want to just take on the attacks part and get that published as a
book – please work with Dinis on that.  If you're willing to take on the
bigger project and help us get the whole encyclopedia created, we're willing
to fund that effort with a $5,000 grant.  This project would involve setting
some standards, recruiting people to take responsibility for parts of the
document, and managing it to completion by some date, say April 1.


Thanks – and please let us know what you'd like to do.




From: Leonardo Cavallari Militelli [mailto:leonardocavallari at gmail.com] 
Sent: Tuesday, December 11, 2007 11:34 AM
To: jeff.williams at owasp.org
Cc: Przemyslaw Skowron; Dinis Cruz
Subject: Re: new OWASP book? "OWASP Attacks Reference Guide 2007"


Hello Jeff and Dinis,

Busy time, hã?! :)

Can we have any details regarding the following ideas?
We are really willing to put all that in practice.

Best wishes,

On Nov 30, 2007 9:35 AM, Leonardo Cavallari Militelli
<leonardocavallari at gmail.com> wrote:

Hello all,

In addition, while I was developing the attack guide I realize that there
are poor integration of the guides (threats, attacks, vulnerabilities and
countermeasure) and I was waiting just the end of SPOC and OWASP conferences
to propose a new project regarding the reviewing,  organization and
integration of them. 

Of course, it won't be possible to us be on charge of developing/describing
all items in the guide, so the idea is to create a to-do list and call OWASP
members to contribute in order to get it done quickly. Then we could review
the contents and compile "the bible"! :) 

Jeff and Dinis, let us know your thoughts!



On Nov 30, 2007 2:57 AM, Jeff Williams < jeff.williams at owasp.org
<mailto:jeff.williams at owasp.org> > wrote: 


I think this is a ridiculously good idea. Actually I think we could expand 
it to cover threats, attacks, and vulnerabilities.  It would be great to
stir up some interest on the lists by setting a publication date.

I'd like to help, but I don't know all the details of getting the books 
produced. Dinis - what are the steps that have to be done before production?

Great idea guys!


-----Original Message-----
From: Przemyslaw Skowron [mailto:przemyslaw.skowron at gmail.com]
Sent: Thursday, November 29, 2007 5:29 PM
To: owasp at owasp.org
Cc: Leonardo Cavallari Militelli
Subject: new OWASP book? "OWASP Attacks Reference Guide 2007"

Dear Madam/Sir,

We saw on the lulu.com a web page dedicated to OWASP's books 
(http://stores.lulu.com/owasp). We are wondering if it's possible to
publish a guide titled "OWASP Attacks Reference Guide 2007" ?

The content of this guide would include our work, which we have done 
during the Spring of Code 2007. Detailed information about the project
you may find here -


 In addition the content would be formated simmilarly to the  "OWASP
Code Review - 2007 (RC1)" (http://www.lulu.com/content
<http://www.lulu.com/content/1415989>  /1415989
<http://www.lulu.com/content/1415989> ). It
wouldn't be the wiki format for sure.

Of course we don't have any wage expectations. The only thing we ask
for, is OWASP permission to publish the guide and to provide us with
template, e.g . OWASP Code Review 2007 (RC1)) :-)

Best regards,
Leonardo Cavallari Militell and Przemyslaw 'rezos' Skowron.

Przemyslaw Skowron, <przemyslaw.skowron {at} gmail.com>
Blog: http://pskowron.blogspot.com (Polish)
Linkedin: http://www.linkedin.com/in <http://www.linkedin.com/in/pskowron>
/pskowron  <http://www.linkedin.com/in/pskowron> 






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20071226/b542d405/attachment-0002.html>

More information about the Owasp-board mailing list