[Owasp-board] new OWASP book? "OWASP Attacks Reference Guide 2007"

Dinis Cruz dinis at ddplus.net
Fri Dec 28 03:38:37 UTC 2007


:) :) :) :) :) :) :) :) :)

I had missed the fact that the other HC participants (at least as per
http://www.owasp.org/index.php?title=Category:OWASP_Honeycomb_Project&action=history)
where from Aspect (and managed by Jeff :)  ).  Somehow I was under the
impression that there was somebody else involved, but I guess I was
wrong.

Dinis


On 12/28/07, Jeff Williams <jeff.williams at owasp.org> wrote:
> I am running the Honeycomb project, so yes, I contacted me and I'm fine with
> the whole idea.
>
> --Jeff
>
> -----Original Message-----
> From: owasp-board-bounces at lists.owasp.org
> [mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Dinis Cruz
> Sent: Thursday, December 27, 2007 6:40 PM
> To: Leonardo Cavallari Militelli
> Cc: OWASP Board; Paulo Coimbra
> Subject: Re: [Owasp-board] new OWASP book? "OWASP Attacks Reference Guide
> 2007"
>
> Leonardo,
>
> I would prefer to have a book with the materials that are out there
> ASAP for three reasons:
>
>  1) doing that would be a good learning experience for everybody
> (since of course that it will be a semi-automated process (note that
> there is already some experience inside OWASP in converting WIKI pages
> into Word Docs))
>  2) it is much easier to review it on paper (initially at least)
>  3) just doing this 'fist pass' will give all participants a much
> better feel for what needs to be done (and what should be the
> priorities).
>
> If the public call for participation is done immediately after this
> book is done, or after some time to digest its contents,  it is up to
> you guys :)
>
> Note that we can publish as many versions (of the book) since a new
> version is just a PDF away.
>
> And yes I will document this process so that you can create the PDFs
> directly.
>
> Btw, Jeff, have you spoken with the guys currently responsible for the
> HoneyComb project? (Since he might want to be involved or have some
> extra ideas to add to the mix)
>
> Thanks for you energy
>
> Dinis
>
> On 12/27/07, Jeff Williams <jeff.williams at owasp.org> wrote:
> >
> >
> >
> >
> > > 1) When In January I should delivered the book?
> >  > 2) Should I add only complete articles??
> >
> > I think this should be as soon as possible.  Dinis will have to share the
> > procedure for making a PDF from the Wiki.  I think we should include ALL
> the
> > articles, and that we should call this an "alpha" or "beta" or "working
> > draft" or something.
> >
> >
> >  > Once I got it, I'll outline the sections that an article of a category
> > must have.
> >  > EG: An attack article should have those sections: Description,
> Severity,
> > likelihood of exploitation, examples,
> >  > references, related threats,  vulnerabilities,  attacks and
> > countermeasure.
> >
> > I agree with this completely. I think each type of article (threat agent,
> > attack, vulnerability, etc..) will have slightly different sections.  I
> have
> > some specific ideas about "severity" and "likelihood" - I'd like to get
> them
> > consistent with the OWASP Risk Rating Methodology in the Testing Guide.
> > Threat Agents, Attacks, and Vulnerabilities have likelihood attributes.
> > Countermeasures have a difficulty to implement.  And Technical and
> Business
> > impact have impact attributes.  Only taken together can you assemble the
> > "severity" of a risk.  It makes absolutely no sense to talk about the
> > severity of an attack or vulnerability with no context.  That's what the
> > scanner and static analysis tools try to do, but it's ridiculous.  For
> > example, is SQL injection critical?  Not if it's a read only database
> table
> > with non-sensitive information in it.
> >
> >  > According to Jeff, we are still missing the "related agent",
> "technical
> > impact" and "business impact" sections, right?
> >  > Then, I think we should remove Severity and likelihood of exploitation
> > sections and create a common outline for all reference articles based on
> the
> > above.. All article will have the same sections no matter which global
> > category it belongs to.
> >  3) Do you think a general outline fit all articles requirements?
> >
> >
> >
> > Can you put together a standard outline for each of the article types in
> the
> > Honeycomb?  Then we can discuss.  I don't think ANY of them should have a
> > severity section.  Just likelihood factors or impact factors.  I think the
> > rest of the proposed sections are okay.  The related articles are
> > interesting.  I would expect that a threat agent article would link to the
> > articles on the set of attacks that they are capable of executing.  The
> > attacks would link back to the threat agents, and forwards to the
> > vulnerabilities that the attack targets.  The vulnerabilities would link
> > back to the vulnerabilities, and forward to the countermeasures involved
> and
> > the technical impacts.  The countermeasures would link back to
> > vulnerabilities and also to technical impacts.  The technical impacts
> would
> > link back to vulnerabilities and countermeasures, and forward to business
> > impacts.  The business impacts would link back to related technical
> impacts.
> >
> >
> >  Observe that if I outline the sections after compiling the book, we'll
> have
> > different sections even for articles of the same category (except by
> attack
> > category that Rezos and me normalized for SPoC). However, it's not
> feasible
> > to review sections for all completed articles and compile the book for
> > January.
> >  4) How should I proceed: 1- Outline sections and make call for volunteers
> > or  2- Compile the book with online content and make CFV in the end of
> > January?
> >
> > Ah - now I understand.  I think we should organize the outline first and
> do
> > a quick organization of the articles we have.  Then publish and call for
> > volunteers.  Even if this means we have to push out the first published
> > version.  Otherwise, we'll just print crap and get all the volunteers
> > confused about what they're supposed to be doing.
> >
> >
> >  I don't want to be narrow-minded with those long emails, but just get
> > things clear enough so we avoid future headaches and unneeded discussions.
> >
> > Please keep it up and push this along.  This is exactly what this project
> > needs.  Thanks,
> >
> > --Jeff
> >
> >
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>



More information about the Owasp-board mailing list