[OWASP-GUIDE] State of the Guide
Andrew van der Stock
vanderaj at greebo.net
Wed Nov 16 05:09:15 EST 2005
I've been slowly editing the Guide over the last month or so. The
The first few chapters (upto "Security Architecture" - see below) are
already with our publisher, NSP. We will get galleys soon, and I will
make them available from here. This will be our *last* chance to make
changes to these. I've edited these primarily for length, not content.
* Chapter elimination
DoS will be rolled into all the other chapters
PHP security will be rolled into all other chapters
* Content Revisions
I have changed the way chapters are laid out into:
Patterns of best practice
Anti-patterns (ie worst practices)
They are not explicitly laid out with those headings, but it makes it
easier for developers who writing code from scratch to do the right
thing if they get lazy and just read the beginning.
I have edited for length. In general, I am aiming to have a shorter
book (about 250 pages), but with three new chapters. We'll see how
close we get when I'm finished.
* New / revised content
Web services gains a new section on Ajax and I've been through web
services with a view to reduce the total size.
Authentication is getting a revision on federated authentication by a
specialist I know. I'll have to dial back the pro-Tivoli aspects when
I get the text.
Phishing section will get a pharming section even though it has
little to do with web application security. I'm also looking at the
ITCC document on phishing to see if there's anything we can add to
what's there now. I'm hoping to make this section 10 pages long even
with the new content.
File system section gains a new section on remote file inclusion.
Error handling / audit / logging gets a new section on debug commands
Session management - the re-org has brought the CSRF issue forward. I
want to make sure that session fixation is handled correctly
Configuration gains a new section on environment variables
* Stuff that's in progress:
I am coalescing the policy frameworks, coding principles and threat
modelling into a Security Architecture section. This will be some of
the last work to be delivered.
I am writing the new chapters which do not have much content.
* Stuff I need a hand with:
Images and examples. I need images wherever you think we need them. I
need examples in PHP, .NET (C# preferred) and J2EE.
More information about the Owasp-guide