[Owasp-guide] Time to get moving again

Andrew van der Stock vanderaj at owasp.org
Tue Apr 10 13:39:51 EDT 2007

Hi there,

Who is interested in helping me with editing the Guide? I'd like to get it
to the printers by October this year.

What needs to happen:

Focus sharply on *building* correct software, rather than testing for
defects or describing / teaching attacks. If a technique bridges an attack,
such as XSS, that's okay, but educating the user about potential attacks
against the software, that belongs in the Testing Guide. The current Guide
has a lot of that, and in some cases, it's plain out of date and needs a bit
of a rev.


1. Review each chapter for correctness
2. Put into SFA format
3. Normalize with Testing Guide (which will mean writing new Testing
content; usually by moving our testing content to the Testing Guide)
4. Ensure that we are up to date with the latest issues, such as Ajax and
Web Services, finish off content in Distributed chapter.
5. Update References
6. Peer Review (all hands, including SME outside of this list)
7. Hard lock -> Sent to publisher for layout

The main things missing so far is to put it into a context. Building secure
software is basically impossible without a working and practiced SDLC. So
basically, I want the beginning chapters to be an Architecture -> Risk ->
Design -> Controls (our existing content) -> Testing (points to the Testing
Guide) -> Configuration -> Deployment -> Maintenance -> Retirement, and a
new chapter on refactoring old code. Most projects do not start over from
scratch, so let's include some details on how to securely re-factor ye olde
code and some of the challenges.

First things first, I need four or five volunteers. We're going to do this
in chunks, which will then end up being reviewed by everyone on this list
who has an interest. The volunteers will be co-editors (as mostly, we're
editing, not writing).

Anyone have a significant chunk of time between now and October?



More information about the Owasp-guide mailing list