[Owasp-board] new OWASP book? "OWASP Attacks Reference Guide 2007"

Jeff Williams jeff.williams at owasp.org
Wed Dec 26 16:51:46 UTC 2007


I was hoping to use the date of April 1 to drive people to contribute. It
really helps get people focused if we have a hard publication date.  Ok?

--Jeff

-----Original Message-----
From: Dinis Cruz [mailto:dinis at ddplus.net] 
Sent: Wednesday, December 26, 2007 11:43 AM
To: jeff.williams at owasp.org
Cc: Leonardo Cavallari Militelli; OWASP Board; Paulo Coimbra
Subject: Re: new OWASP book? "OWASP Attacks Reference Guide 2007"

All I would add to Jeff's comment is that I would like to have a
'book' with what exists today (to be printed in January).

This would be a word document (in the OWASP doc format used in the
Testing Guide) containing a copy and paste all articles that will be
targeted by this project.

The only thing to add would be an information about your project and a
request for contributions (this would be on the 1st page).

The next version of the book would be published by the 1st of April
(containing the updated materials)

Is that OK?

Dinis Cruz
Chief OWASP Evangelist
http://www.owasp.org


On 12/26/07, Jeff Williams <jeff.williams at owasp.org> wrote:
>
>
>
>
> Hi Leonardo,
>
>
>
> I must have missed your message on the 13th.  My only real goal for the
> April 1 deadline is to have a printable book that documents all the
> "foundation" elements for application security.  We need a reference that
> captures not just attacks (WASC threat thing) or vulnerabilities (CWE) but
> threat agents, countermeasures, technical impacts, and common business
> impacts.
>
>
>
> My vision is that every risk must have

>
>
>
> A threat agent using an attack targeting a vulnerability (a missing or
> broken countermeasure) that results in a technical impact and ultimately
> causes a business impact.
>
>
>
> So we need a reference guide that has these things all defined and
> interlinked. Not all threat agents can launch all attacks, not all attacks
> work on all vulnerabilities, etc

>
>
>
> Let's get it started!!!  Send out the call for volunteers right away.  But
> instead of a general request, I think we need to be specific.  Like put an
> outline of all the articles and ask for volunteers to take responsibility
> for parts of the outline.  We can use this to track progress in a wiki
page.
>  E.g.
>
>
>
> Threat Agents
>
> -        X
>
> -        Y
>
> -        Z
>
> Attacks
>
> -        X
>
> -        Y
>
> -        Z
>
> Vulnerabilities
>
> -        Category A  (assigned to Steve Jobs) (done)
>
> -        Category B  (assigned to Steve McQueen)
>
> -        Category C
>
> Countermeasures
>
> -        X
>
> -        Y
>
> -        Z
>
> Etc

>
>
>
> --Jeff
>
>
>
>
> From: Leonardo Cavallari Militelli [mailto:leonardocavallari at gmail.com]
>  Sent: Wednesday, December 26, 2007 7:32 AM
>  To: Dinis Cruz
>  Cc: Jeff Williams; OWASP Board; Paulo Coimbra
>
>  Subject: Re: new OWASP book? "OWASP Attacks Reference Guide 2007"
>
>
>
>
> Hello guys!
>
>  Any updates or "internal messages" regarding this project? :)
>
>  I hope all of you had a nice Xmas and wish all the best for 2008!
>
>  Leo Cavallari
>
>
>
>
>
> On Dec 13, 2007 4:28 PM, Leonardo Cavallari Militelli
> <leonardocavallari at gmail.com> wrote:
>
> Hello Dinis/Jeff,
>
>  I'm really excited with the idea of creating a Honeycomb book and I'm
happy
> with your news.
>  As I said before, I felt that OWASP missed the integration of all
> references guide and I believe we can handle this project.
>
>  However, I'm not quite sure of what you are expecting from me and I'd
like
> let things clever before I start this project, since the Honeycomb project
> has around 600 articles. Of course, there are some redundant, but lots
more
> of stubs and incomplete articles.
>
>  This way, I believe the following activities can be reached till April
1st.
>  1) Review the articles in order to create a list of what really need to
be
> done, by:
>
>
> redundant articles
> stub/incomplete/empty articles
> completed or small review needs
>
> 2) Define templates for each category (threats, attacks, vulnerabilities,
> and countermeasures) based on CLASP. I think it's needed to add some
> "related ..." section on CLASP template.
>  3) Review and define the categories/sub-categories for HoneyComb. I think
> we'll need to have some discussions on this.
>
>  At this moment, I believe we should put out a Call for Volunteers in
order
> to help review, revise, update, add, delete, categorize, and organize the
> information (Jeff words.. :) ) all the remaining articles of stage 1.
>
>  4) As articles start to be delivered, I compile them into the "bible
under
> revision doc" and share the document with revisors.Once its finished,
we'll
> have the first early edition of the Bible on April 1st.
>
>  I think all this is reasonable, however I cannot foresee the amount of
> efforts needed, problems and barriers that I can encounter thru the
project.
> In addition, it's difficult to state what we can delivery until deadline,
> mostly because we'll depend on volunteers engagement.
>
>  What do you think about it? Is that it you were expecting for this
project?
>
>  I got some tiny doubts that I like to share, but we should discuss them
on
> the appropriate moment.
>
>  Shall we work it out?? :)
>
>  All the best,
>  Leo
>
>
>
>
>
>
>
>
>
> On Dec 12, 2007 10:46 PM, Dinis Cruz <dinis at ddplus.net> wrote:
>
> Sorry for delay in responding to your emails
>
>
>
>
>
> We actually had a couple internal threads following your email, but
somehow
> we missed the bit where you told you about our thoughts  :(
>
>
>
>
>
> As Jeff responded, we love your idea and following your successful
> participation in SpoC we can moveforward a bit quicker, and offer you a
> 5,000 sponsorship (instead of you having to apply to the next initiative
> (WoC - Winter of Code 08)).
>
>
>
>
>
> Regarding publishing, I would like to do this in multiple stages, with a
> first version (i.e. book) created asap with the relevant contents from the
> OWASP website as they exist today (basically what is there now).
>
>
>
>
>
> This 'book' would already a great asset, but also would be used by the
> project contributors during their review process (for example I much
prefer
> to review text on a book than on a screen).
>
>
>
>
>
> Back to your project: The idea would be to normalize (i.e. 'clean') all
that
> information that is out there, and add new material where necessary (see
the
> Honeycomb project)
>
>
>
>
>
> Moving forward, what we need from you is a project plan where you commit
to
> what you can deliver by the 1st of April.
>
>
>
>
>
> Thanks for your energy :)  and sorry again for this delay.
>
>
>
>
>
> Dinis
>
>
>
>
>
>
>
> On 12/12/07, Jeff Williams <jeff.williams at owasp.org> wrote:
>
>
>
> Hi Leonardo,
>
>
>
> We all think this is a fantastic idea.  Actually I'm upset I didn't think
to
> publish this a long time ago.  But I'd like to expand the scope of the
> project beyond just attacks.  I'd like to publish the whole Honeycomb
> project in a kind of "encyclopedia" of application security.  I'd like to
> set a date and put out a call for volunteers to help review, revise,
update,
> add, delete, categorize, and organize the information.
>
>
>
> If you want to just take on the attacks part and get that published as a
> book – please work with Dinis on that.  If you're willing to take on the
> bigger project and help us get the whole encyclopedia created, we're
willing
> to fund that effort with a $5,000 grant.  This project would involve
setting
> some standards, recruiting people to take responsibility for parts of the
> document, and managing it to completion by some date, say April 1.
>
>
>
> Thanks – and please let us know what you'd like to do.
>
>
>
> --Jeff
>
>
>
>
> From: Leonardo Cavallari Militelli [mailto:leonardocavallari at gmail.com]
>  Sent: Tuesday, December 11, 2007 11:34 AM
>  To: jeff.williams at owasp.org
>  Cc: Przemyslaw Skowron; Dinis Cruz
>  Subject: Re: new OWASP book? "OWASP Attacks Reference Guide 2007"
>
>
>
>
> Hello Jeff and Dinis,
>
>  Busy time, hã?! :)
>
>  Can we have any details regarding the following ideas?
>  We are really willing to put all that in practice.
>
>  Best wishes,
>  Leo
>
>
> On Nov 30, 2007 9:35 AM, Leonardo Cavallari Militelli
> <leonardocavallari at gmail.com> wrote:
>
> Hello all,
>
>  In addition, while I was developing the attack guide I realize that there
> are poor integration of the guides (threats, attacks, vulnerabilities and
> countermeasure) and I was waiting just the end of SPOC and OWASP
conferences
> to propose a new project regarding the reviewing,  organization and
> integration of them.
>
>  Of course, it won't be possible to us be on charge of
developing/describing
> all items in the guide, so the idea is to create a to-do list and call
OWASP
> members to contribute in order to get it done quickly. Then we could
review
> the contents and compile "the bible"! :)
>
>  Jeff and Dinis, let us know your thoughts!
>
>  Cheers,
>  Leo
>
>
>
>
>
>
> On Nov 30, 2007 2:57 AM, Jeff Williams < jeff.williams at owasp.org> wrote:
>
> Dinis,
>
>  I think this is a ridiculously good idea. Actually I think we could
expand
>  it to cover threats, attacks, and vulnerabilities.  It would be great to
>  stir up some interest on the lists by setting a publication date.
>
>  I'd like to help, but I don't know all the details of getting the books
>  produced. Dinis - what are the steps that have to be done before
> production?
>
>  Great idea guys!
>
>  --Jeff
>
>
>
>
>  -----Original Message-----
>  From: Przemyslaw Skowron [mailto:przemyslaw.skowron at gmail.com]
>  Sent: Thursday, November 29, 2007 5:29 PM
>  To: owasp at owasp.org
>  Cc: Leonardo Cavallari Militelli
>  Subject: new OWASP book? "OWASP Attacks Reference Guide 2007"
>
>  Dear Madam/Sir,
>
>  We saw on the lulu.com a web page dedicated to OWASP's books
>  (http://stores.lulu.com/owasp). We are wondering if it's possible to
>  publish a guide titled "OWASP Attacks Reference Guide 2007" ?
>
>  The content of this guide would include our work, which we have done
>  during the Spring of Code 2007. Detailed information about the project
>  you may find here -
>
https://www.owasp.org/index.php/SpoC_007_-_Attacks_Reference_Guide_-_Progres
>  s_Page
>  .
>
>   In addition the content would be formated simmilarly to the  "OWASP
>  Code Review - 2007 (RC1)" (http://www.lulu.com/content /1415989 ). It
>  wouldn't be the wiki format for sure.
>
>  Of course we don't have any wage expectations. The only thing we ask
>  for, is OWASP permission to publish the guide and to provide us with
>  template, e.g . OWASP Code Review 2007 (RC1)) :-)
>
>  Best regards,
>  Leonardo Cavallari Militell and Przemyslaw 'rezos' Skowron.
>
>  --
>  Przemyslaw Skowron, <przemyslaw.skowron {at} gmail.com>
>  Blog: http://pskowron.blogspot.com (Polish)
>  Linkedin: http://www.linkedin.com/in /pskowron
>
>
>
>
>
>
>
>
>
>
>
>
>
>





More information about the Owasp-board mailing list