[Owasp-guide] Authors -- how goes?
Boberski, Michael [USA]
boberski_michael at bah.com
Fri Apr 2 10:09:58 EDT 2010
Hi Vishal. You're in luck as they are me, at least 1/3.
The keywords for 4.9 are "implied by the presentation layer", verifiers would investigate what rules might be implied by the presentation layer as a first step and compare them to any controls found on the server side. I would personally for example do the work to verify 4.11 first, then I'd do the work to verify 4.9; ASVS doesn't prescribe how requirements are verified, how one might divvy them up or what approach for each one may take.
Hope this helps,
There is no "trust but verify" when it comes to application security!
Verify, THEN trust! Read the entire post: Inside Booz Allen<http://hello.bah.com/blogs/index.php/SoftwareAssuranceCoP/2010/04/01/there_is_no_trust_but_verify>, Outside of Booz Allen<http://mikeboberski.blogspot.com/2010/04/there-is-no-trust-but-verify.html>
From: Vishal Garg [mailto:vishalgrg at gmail.com]
Sent: Friday, April 02, 2010 8:31 AM
To: Boberski, Michael [USA]
Cc: owasp-guide at lists.owasp.org
Subject: Re: [Owasp-guide] Authors -- how goes?
I am not sure whether I should forward this question to you or to the ASVS people.
I am not clear about the difference between ASVS requirements 4.9 and 4.11.
4.9 - Verify that the same access control rules implied by the presentation layer are enforced on the server side.
4.11 - Verify that all access controls are enforced on the server side.
Maybe the right question to ask would be that why do we have both these requirements in ASVS while only 4.11 would have been sufficient, because all the access control should always be enforced on the server side irrespective of whether it has been implemented on the client side or not.
On Wed, Mar 31, 2010 at 9:42 PM, Tom Stripling <tstripling at appsecconsulting.com<mailto:tstripling at appsecconsulting.com>> wrote:
The previous version of the Guide does not match the ASVS outline at *all*. I will have to do a rewrite in order to get it into a format that matches the ASVS headers. For now I've just created blank pages and pasted the previous Guide version into the main Input Validation page. Is that going to work for you? If not, I'd appreciate your input on how you think that content should be segregated.
From: owasp-guide-bounces at lists.owasp.org<mailto:owasp-guide-bounces at lists.owasp.org> [mailto:owasp-guide-bounces at lists.owasp.org<mailto:owasp-guide-bounces at lists.owasp.org>] On Behalf Of Boberski, Michael [USA]
Sent: Thursday, March 25, 2010 3:14 PM
To: owasp-guide at lists.owasp.org<mailto:owasp-guide at lists.owasp.org>
Subject: [Owasp-guide] Authors -- how goes?
How goes things with the various sections and worksheets?
Lots of activity actually, looking at SVN logs.
Go ahead, share your good works from this past week with the team.
Owasp-guide mailing list
Owasp-guide at lists.owasp.org<mailto:Owasp-guide at lists.owasp.org>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-guide