[Owasp-board] new OWASP book? "OWASP Attacks Reference Guide 2007"

Dinis Cruz dinis at ddplus.net
Thu Dec 27 23:39:32 UTC 2007


I would prefer to have a book with the materials that are out there
ASAP for three reasons:

 1) doing that would be a good learning experience for everybody
(since of course that it will be a semi-automated process (note that
there is already some experience inside OWASP in converting WIKI pages
into Word Docs))
 2) it is much easier to review it on paper (initially at least)
 3) just doing this 'fist pass' will give all participants a much
better feel for what needs to be done (and what should be the

If the public call for participation is done immediately after this
book is done, or after some time to digest its contents,  it is up to
you guys :)

Note that we can publish as many versions (of the book) since a new
version is just a PDF away.

And yes I will document this process so that you can create the PDFs directly.

Btw, Jeff, have you spoken with the guys currently responsible for the
HoneyComb project? (Since he might want to be involved or have some
extra ideas to add to the mix)

Thanks for you energy


On 12/27/07, Jeff Williams <jeff.williams at owasp.org> wrote:
> > 1) When In January I should delivered the book?
>  > 2) Should I add only complete articles??
> I think this should be as soon as possible.  Dinis will have to share the
> procedure for making a PDF from the Wiki.  I think we should include ALL the
> articles, and that we should call this an "alpha" or "beta" or "working
> draft" or something.
>  > Once I got it, I'll outline the sections that an article of a category
> must have.
>  > EG: An attack article should have those sections: Description, Severity,
> likelihood of exploitation, examples,
>  > references, related threats,  vulnerabilities,  attacks and
> countermeasure.
> I agree with this completely. I think each type of article (threat agent,
> attack, vulnerability, etc..) will have slightly different sections.  I have
> some specific ideas about "severity" and "likelihood" – I'd like to get them
> consistent with the OWASP Risk Rating Methodology in the Testing Guide.
> Threat Agents, Attacks, and Vulnerabilities have likelihood attributes.
> Countermeasures have a difficulty to implement.  And Technical and Business
> impact have impact attributes.  Only taken together can you assemble the
> "severity" of a risk.  It makes absolutely no sense to talk about the
> severity of an attack or vulnerability with no context.  That's what the
> scanner and static analysis tools try to do, but it's ridiculous.  For
> example, is SQL injection critical?  Not if it's a read only database table
> with non-sensitive information in it.
>  > According to Jeff, we are still missing the "related agent",  "technical
> impact" and "business impact" sections, right?
>  > Then, I think we should remove Severity and likelihood of exploitation
> sections and create a common outline for all reference articles based on the
> above.. All article will have the same sections no matter which global
> category it belongs to.
>  3) Do you think a general outline fit all articles requirements?
> Can you put together a standard outline for each of the article types in the
> Honeycomb?  Then we can discuss.  I don't think ANY of them should have a
> severity section.  Just likelihood factors or impact factors.  I think the
> rest of the proposed sections are okay.  The related articles are
> interesting.  I would expect that a threat agent article would link to the
> articles on the set of attacks that they are capable of executing.  The
> attacks would link back to the threat agents, and forwards to the
> vulnerabilities that the attack targets.  The vulnerabilities would link
> back to the vulnerabilities, and forward to the countermeasures involved and
> the technical impacts.  The countermeasures would link back to
> vulnerabilities and also to technical impacts.  The technical impacts would
> link back to vulnerabilities and countermeasures, and forward to business
> impacts.  The business impacts would link back to related technical impacts.
>  Observe that if I outline the sections after compiling the book, we'll have
> different sections even for articles of the same category (except by attack
> category that Rezos and me normalized for SPoC). However, it's not feasible
> to review sections for all completed articles and compile the book for
> January.
>  4) How should I proceed: 1- Outline sections and make call for volunteers
> or  2- Compile the book with online content and make CFV in the end of
> January?
> Ah – now I understand.  I think we should organize the outline first and do
> a quick organization of the articles we have.  Then publish and call for
> volunteers.  Even if this means we have to push out the first published
> version.  Otherwise, we'll just print crap and get all the volunteers
> confused about what they're supposed to be doing.
>  I don't want to be narrow-minded with those long emails, but just get
> things clear enough so we avoid future headaches and unneeded discussions.
> Please keep it up and push this along.  This is exactly what this project
> needs.  Thanks,
> --Jeff

More information about the Owasp-board mailing list