[Owasp-guide] Authors -- how goes?

Vishal Garg vishalgrg at gmail.com
Fri Apr 2 11:39:40 EDT 2010


Hi Mike, that was a good catch and it made my task easy :)

But I am still not clear.. Would you mind elaborating what do you mean by
'implied by presentation layer'; doesn't it mean client side implementation
of controls, or I am missing something!!

Also I have checked in some content (recycled from previous guide) to the
Wiki today. I had added new pages to the Wiki before I looked at your new
Wiki structure and thus it may be different from what you had proposed
lately. I will change the structure as we go along rather than spending time
to amend it again today.

Well, as always, any feedback would be great.

Thanks
Vishal

On Fri, Apr 2, 2010 at 3:09 PM, Boberski, Michael [USA] <
boberski_michael at bah.com> wrote:

>  Hi Vishal. You’re in luck as they are me, at least 1/3.
>
>
>
> The keywords for 4.9 are “implied by the presentation layer”, verifiers
> would investigate what rules might be implied by the presentation layer as a
> first step and compare them to any controls found on the server side. I
> would personally for example do the work to verify 4.11 first, then I’d do
> the work to verify 4.9; ASVS doesn’t prescribe how requirements are
> verified, how one might divvy them up or what approach for each one may
> take.
>
>
>
> Hope this helps,
>
>
>
> Best,
>
>
>
> Mike B.
>
>
>
> There is no "trust but verify" when it comes to application security!
>
> Verify, THEN trust! Read the entire post: Inside Booz Allen<http://hello.bah.com/blogs/index.php/SoftwareAssuranceCoP/2010/04/01/there_is_no_trust_but_verify>,
> Outside of Booz Allen<http://mikeboberski.blogspot.com/2010/04/there-is-no-trust-but-verify.html>
>
>
>
> *From:* Vishal Garg [mailto:vishalgrg at gmail.com]
> *Sent:* Friday, April 02, 2010 8:31 AM
> *To:* Boberski, Michael [USA]
> *Cc:* owasp-guide at lists.owasp.org
> *Subject:* Re: [Owasp-guide] Authors -- how goes?
>
>
>
> Hi Mike,
>
> I am not sure whether I should forward this question to you or to the ASVS
> people.
>
> I am not clear about the difference between ASVS requirements 4.9 and 4.11.
>
> 4.9 - Verify that the same access control rules implied by the presentation
> layer are enforced on the server side.
>
> 4.11 - Verify that all access controls are enforced on the server side.
>
> Maybe the right question to ask would be that why do we have both these
> requirements in ASVS while only 4.11 would have been sufficient, because all
> the access control should always be enforced on the server side irrespective
> of whether it has been implemented on the client side or not.
>
> Regards
> Vishal
>
> On Wed, Mar 31, 2010 at 9:42 PM, Tom Stripling <
> tstripling at appsecconsulting.com> wrote:
>
> Mike,
>
>
>
> The previous version of the Guide does not match the ASVS outline at **all
> **.  I will have to do a rewrite in order to get it into a format that
> matches the ASVS headers.  For now I’ve just created blank pages and pasted
> the previous Guide version into the main Input Validation page.  Is that
> going to work for you?  If not, I’d appreciate your input on how you think
> that content should be segregated.
>
>
>
> Regards,
>
> Tom
>
>
>
> *From:* owasp-guide-bounces at lists.owasp.org [mailto:
> owasp-guide-bounces at lists.owasp.org] *On Behalf Of *Boberski, Michael
> [USA]
> *Sent:* Thursday, March 25, 2010 3:14 PM
> *To:* owasp-guide at lists.owasp.org
> *Subject:* [Owasp-guide] Authors -- how goes?
>
>
>
> Hi folks,
>
>
>
> How goes things with the various sections and worksheets?
>
>
>
> Lots of activity actually, looking at SVN logs.
>
>
>
> Go ahead, share your good works from this past week with the team.
>
>
>
> Best,
>
>
>
> Mike B.
>
>
>
>
> _______________________________________________
> Owasp-guide mailing list
> Owasp-guide at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-guide
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-guide/attachments/20100402/b1116919/attachment.html 


More information about the Owasp-guide mailing list