[OWASP-GUIDE] State of the Guide

Andrew van der Stock vanderaj at greebo.net
Wed Nov 16 05:09:15 EST 2005


Hi there,

I've been slowly editing the Guide over the last month or so. The  
plans are:

* Finalized

The first few chapters (upto "Security Architecture" - see below) are  
already with our publisher, NSP. We will get galleys soon, and I will  
make them available from here. This will be our *last* chance to make  
changes to these. I've edited these primarily for length, not content.

* Chapter elimination

DoS will be rolled into all the other chapters
PHP security will be rolled into all other chapters

* Content Revisions

I have changed the way chapters are laid out into:

Patterns of best practice
Anti-patterns (ie worst practices)
Countermeasures

They are not explicitly laid out with those headings, but it makes it  
easier for developers who writing code from scratch to do the right  
thing if they get lazy and just read the beginning.

I have edited for length. In general, I am aiming to have a shorter  
book (about 250 pages), but with three new chapters. We'll see how  
close we get when I'm finished.

* New / revised content

Web services gains a new section on Ajax and I've been through web  
services with a view to reduce the total size.

Authentication is getting a revision on federated authentication by a  
specialist I know. I'll have to dial back the pro-Tivoli aspects when  
I get the text.

Phishing section will get a pharming section even though it has  
little to do with web application security. I'm also looking at the  
ITCC document on phishing to see if there's anything we can add to  
what's there now. I'm hoping to make this section 10 pages long even  
with the new content.

File system section gains a new section on remote file inclusion.

Error handling / audit / logging gets a new section on debug commands

Session management - the re-org has brought the CSRF issue forward. I  
want to make sure that session fixation is handled correctly

Configuration gains a new section on environment variables

* Stuff that's in progress:

I am coalescing the policy frameworks, coding principles and threat  
modelling into a Security Architecture section. This will be some of  
the last work to be delivered.

I am writing the new chapters which do not have much content.

* Stuff I need a hand with:

Images and examples. I need images wherever you think we need them. I  
need examples in PHP, .NET (C# preferred) and J2EE.

thanks,
Andrew





More information about the Owasp-guide mailing list