[OWASP-GUIDE] Guide V2 - A time for action

Andrew van der Stock avanderstock at b-sec.com
Sun Mar 16 18:06:40 EST 2003


I think Passport and Liberty (and products that do similar things, like
basic auth, form auth, etc) should be in an authentication chapter.
Passport has privacy bits, but it's not the raison d'etre for the product.


Andrew

-----Original Message-----
From: owasp-guide-admin at lists.sourceforge.net
[mailto:owasp-guide-admin at lists.sourceforge.net] On Behalf Of Mark Curphey
Sent: Saturday, 15 March 2003 4:03 AM
To: owasp-guide at lists.sourceforge.net; Ray Stirbei
Subject: Re: [OWASP-GUIDE] Guide V2 - A time for action

Very much the right woman ;-)

The privacy chapter should be P3P.

Single Sign On has some privacy issues obviously but I think that is a
section in its own right as below in Chapter 6.

I would think we should have the common problems further forward and the
cryptography section towards the end as well.

Introduction
Overview
Principles
Web Security Architectures (MVC etc)
Web Application Frameworks (J2EE and .NET)
Common Problems and How to Mitigate them
Data Validation
Authentication (including SAML and Liberty and .NET Passport)
Access Control, Authorization and Session Management
Web Services and XML Security
Event Logging and Monitoring
Privacy
Cryptography
Appendix A - Java Examples
Appendix B PHP Examples

I may be missing a few things still.

We have a volunteer for DocBook work. Meet Ray Stirbei. Welcome. Ray,
Adrian has also volunteered so maybe you guys can work together. You can
sign up to the owsp-guide at lists.sourceforge.net list off the sourceforge
page.



On Fri, 2003-03-14 at 08:24, Adrian Wiesmann wrote:
> > I never have the last word on anything ;-)
>
> Married to the wrong woman then? :)
>
> > I can see a case for SAML and Liberty and .NET passport being part of
a
> > chapter on SSO / Authentication. I can also see a case for it being
part
> > of web services.
>
> I would very much agree on SAML be put in the Web Services Chapter and
> Liberty and Passport put into a "Privacy" chapter. SAML is about
something
> in XML, which the whole Web Services chapter is all about. The other two
> are mostly about privacy and authentication which would not really fit
in
> there.
>
> > Does anybody have an idealized list of all Chapter headings or strong
> > feeling n how things should be laid out ?
>
> Hmm havent we done so lately?
>
> The last mail I found was by me :)
>
> > Starter
> > 1 - Introduction
> > 2 - Background
> > 3 - Thinking about the Problem
> > 4 - Principles
> > Theory
> > 13- Privacy
> > 14- Cryptography
> > 12- Web Services and XML Security
> > 5 - Web Security Architectures
> > Practice
> > 6 - Authentication (including SAML and Liberty)
> > 8 - Access Control and Authorization
> > 7 - Session Management
> > 10- Data Validation
> > 9 - Event Logging and Monitoring
> > Summary
> > 11- Common Problems and How to Mitigate them
> >
> > I tried to get the guide into 4 logical groups. While I am not quite
> > satisfied with that version above, I think it's a way to try to go on
> > with. And we definitely would need better names for the 4 logical
> > groups.
>
> Let's take this as a starter?
>
> > Anybody interested in re-doing the DocBook when the new layout is
agreed
> > ?
>
> I could do so but would not burn my hands for if anybody else would be
> interested :)
>
> Regards,
> Adrian
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by:Crypto Challenge is now open!
> Get cracking and register here for some mind boggling fun and
> the chance of winning an Apple iPod:
> http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
> _______________________________________________
> Owasp-guide mailing list
> Owasp-guide at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-guide
--
Mark Curphey <mark at curphey.com>



-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open!
Get cracking and register here for some mind boggling fun and
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Owasp-guide mailing list
Owasp-guide at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owasp-guide

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3269 bytes
Desc: not available
Url : http://lists.owasp.org/pipermail/owasp-guide/attachments/20030317/58022995/attachment.bin 


More information about the Owasp-guide mailing list