[OWASP-GUIDE] Technical Editorship
Andrew van der Stock
vanderaj at greebo.net
Sat Jan 29 00:18:31 EST 2005
* Included all the text from the CVS XML into an editable lump in
* Reduced dupes and fixed basic section / chapter issues. It currently
stands at 40,800 words and 102 pages and counting. My aim is to try and keep
it under 125 pages.
* Fixed a massive number of spelling and grammar mistakes in the
existing text. This is most likely due to the poor or non-existent word
processing capabilities of XML editors.
* Re-attached the images (the existing 2.0 a2 is missing about 35 kb
of text and all of the images).
* Did a first pass at fixing the headings correctly
* Did a test conversion to PDF to ensure the donor Top 10 document
template was okay. It was.
Yesterday and today's efforts include:
* Structural: Coalesced to a single section for each issue, a la Top
10, so you don't have to go to two or three different sections to read about
how to protect and then test for the issue. I'm indicating whether an issue
is a top 10 graphically.
* Edit: Eliminated the foreword, What's New and introduction. They are
out of date and need re-writing
* Edit: Found all the authors I could and sorted them, fixed the
* Edit: Adopting WAS OASIS nomenclature where possible (unless it's
very clunky) and dropping back to Top 10 2004 nomenclature otherwise
* Edit: Security Design area - Heavy revisions in here. Dropped a
couple of the principles in favor of the same ones as Writing Secure Code
2nd Edition (no plagiarism though - new text for the two new principles).
Dramatically simplified this text in most cases. About 80% done. Added CIA
and risk as they were missing from both.
* Edit: I'm considering how best to handle what should be references
or tutorials without throwing them away. The excellent SAML and so-so SSL
tutorials are interesting, but they don't teach you when and how to use them
correctly. My current thought is to make them appendices and change the
focus on how to use SAML (and other authentication schemes like RADIUS /
LDAP) in the Access Control chapter.
* New: Web techniques section has been started. I've included and
revised my old CC handling procedures. I'll include the other basics in
* New: Privacy chapter, discussing browser limitations with caching,
URL anti-caching nonces, how to control IE's password caching behavior, etc
* New: Authentication bits: RADIUS / LDAP / strong authentication
* New: Injection: LDAP injection
* New: Injection: Phishing sections (this is the most common attack
against Internet Banking, so deserves a bit more prominence). I will review
and coalesce some thoughts I've had in here, comments most welcome.
* New: Injection: split-session attacks (which is a CRLF injection
attack in HTTP headers)
* New: Sessions: session brute forcing is brought up to date with a
bit of recent research
When it is stable again, I will send out a URL for everyone to look at. The
Word version currently sits at 1.15 MB, and the PDF at 873 KB. The PDF is
web streamable, fully hyperlinked and navigable, and has the Word comments
embedded and is probably the best version for someone who just wants to read
and make simple comments. The Word version is best for those who want to get
in and change it. I would have used master documents, but I did not want to
lock out Open Office users, as it does not support them. I do not want a
high barrier to entry for using Word as a document format.
At the end after all the heavy lifting has finished, if the desire is to put
it back into XML format is strong, I will do this. But doing so will lose:
* Hyperlinks in the PDF versions
* Internal navigation in the PDF version
* Web streaming for the PDF version
Plus, it then becomes difficult to do heavy lifting and editing with
anything approaching the power of 30 year old Wordstar for CP/M. As you can
guess, I'm not a fan of XML. It's a fad akin to asking an architect to
design a 100 story building using chisel and stone tablets, whilst writing
only in cuneiform.
From: owasp-guide-admin at lists.sourceforge.net
[mailto:owasp-guide-admin at lists.sourceforge.net] On Behalf Of Jeff Williams
Sent: Saturday, 29 January 2005 2:58 PM
To: owasp-guide at lists.sourceforge.net
Subject: Re: [OWASP-GUIDE] Technical Editorship
Sounds great. Put me on the reviewer list. Thanks,
Jeff Williams, CEO
Aspect Security, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-guide