[OWASP-GUIDE] Guide Chapter 10 Thoughts

David A. Wheeler dwheeler at dwheeler.com
Fri Jan 31 07:34:16 EST 2003


Unfortunately, I don't have time to contribute to the
OWASP guide as well as my own book.
My book is GFDL, as long as you comply with the GFDL license
you're okay.  If you use significant amounts of material,
please credit me as one of the authors, and in any case
please credit me in any significant amount of text you use.

Please quote my name as "David A. Wheeler" -
it turns out that there are a lot of "David Wheeler"s.

--- Mark Curphey <mark at curphey.com> wrote:
> I agree, that would be a great plan. We also reference his book in
> the bibliography now. Its a great read.
> 
> David, how about it ? Or would you be interested in using your book
> content as the basis for you contributing to the input validation
> section in the OWASP Guide V 2 ? The mail list archives has a rich
> history about what will be in this vastly expanded and superior
> version and FYI it will be printed under GPL by No Starch Press.
> 
> ---- Christopher Todd <chris at christophertodd.com> wrote:
> > Mark,
> > 
> > I agree that chapter 10 is too general.  Perhaps we could ask David
> if he
> > would be willing and able to contribute what he has already written
> to the
> > Guide?  His book uses the same license as the Guide, so there are
> few issues
> > there, and I have seen him contribute to OWASP/webappsec lists
> before.
> > Plus, his book (as a whole) and his coverage of input validation is
> > excellent overall.
> > 
> > I'm just thinking about conservation of energy here...if David has
> already
> > written an excellent guide to validating user input, let's try to
> avoid
> > duplication of effort.
> > 
> > Chris
> > 
> > > -----Original Message-----
> > > From: owasp-guide-admin at lists.sourceforge.net
> > > [mailto:owasp-guide-admin at lists.sourceforge.net]On Behalf Of Mark
> > > Curphey
> > > Sent: Tuesday, January 28, 2003 1:05 PM
> > > To: owasp-guide at lists.sourceforge.net
> > > Subject: [OWASP-GUIDE] Guide Chapter 10 Thoughts
> > >
> > >
> > > I added my authorship to chapter ten last night and realized how
> > > inadequate that chapter really is. It really just states the best
> > > strategy should be to allow trusted input and reject all others.
> > >
> > > If you take a look at the great secure development book by David
> > > Wheeler (www.dwheeler.com) his chapter on input filtering covers
> > > the topic in a more comprehensive and IMHO appropriate way.
> > >
> > > That said he has a sections on mitigating XSS.
> > >
> > > Should our Chapter 10 be enhanced (I am offering to do it) to go
> > > into detail about stripping specific characters, dealing with URL
> > > encoding etc and potentially converge on the work Jeremy Poteet
> > > is doing about mitigating specific issues, or should it stay at a
> > > high level as input filtering strategies?
> > >
> > >
> > > -------------------------------------------------------
> > > This SF.NET email is sponsored by:
> > > SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2
> See!
> > > http://www.vasoftware.com
> > > _______________________________________________
> > > Owasp-guide mailing list
> > > Owasp-guide at lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/owasp-guide
> > 
> > 
> > 
> > -------------------------------------------------------
> > This SF.NET email is sponsored by:
> > SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2
> See!
> > http://www.vasoftware.com
> > _______________________________________________
> > Owasp-guide mailing list
> > Owasp-guide at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/owasp-guide
> > 
> > 





More information about the Owasp-guide mailing list