[OWASP-GUIDE] Guide Chapter 10 Thoughts

Christopher Todd chris at christophertodd.com
Tue Jan 28 13:15:15 EST 2003


Mark,

I agree that chapter 10 is too general.  Perhaps we could ask David if he
would be willing and able to contribute what he has already written to the
Guide?  His book uses the same license as the Guide, so there are few issues
there, and I have seen him contribute to OWASP/webappsec lists before.
Plus, his book (as a whole) and his coverage of input validation is
excellent overall.

I'm just thinking about conservation of energy here...if David has already
written an excellent guide to validating user input, let's try to avoid
duplication of effort.

Chris

> -----Original Message-----
> From: owasp-guide-admin at lists.sourceforge.net
> [mailto:owasp-guide-admin at lists.sourceforge.net]On Behalf Of Mark
> Curphey
> Sent: Tuesday, January 28, 2003 1:05 PM
> To: owasp-guide at lists.sourceforge.net
> Subject: [OWASP-GUIDE] Guide Chapter 10 Thoughts
>
>
> I added my authorship to chapter ten last night and realized how
> inadequate that chapter really is. It really just states the best
> strategy should be to allow trusted input and reject all others.
>
> If you take a look at the great secure development book by David
> Wheeler (www.dwheeler.com) his chapter on input filtering covers
> the topic in a more comprehensive and IMHO appropriate way.
>
> That said he has a sections on mitigating XSS.
>
> Should our Chapter 10 be enhanced (I am offering to do it) to go
> into detail about stripping specific characters, dealing with URL
> encoding etc and potentially converge on the work Jeremy Poteet
> is doing about mitigating specific issues, or should it stay at a
> high level as input filtering strategies?
>
>
> -------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> http://www.vasoftware.com
> _______________________________________________
> Owasp-guide mailing list
> Owasp-guide at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-guide





More information about the Owasp-guide mailing list