[Owasp-guide] Authors -- how goes?

Boberski, Michael [USA] boberski_michael at bah.com
Fri Apr 2 13:14:21 EDT 2010


Check out slide # 16 of this: http://www.owasp.org/images/a/a1/AppSec_DC_2009_-_OWASP_Top_10_-_2010_rc1.pptx

Best,

Mike B.

There is no "trust but verify" when it comes to application security!
Verify, THEN trust! Read the entire post: Inside Booz Allen<http://hello.bah.com/blogs/index.php/SoftwareAssuranceCoP/2010/04/01/there_is_no_trust_but_verify>, Outside of Booz Allen<http://mikeboberski.blogspot.com/2010/04/there-is-no-trust-but-verify.html>

From: Vishal Garg [mailto:vishalgrg at gmail.com]
Sent: Friday, April 02, 2010 11:40 AM
To: Boberski, Michael [USA]
Cc: owasp-guide at lists.owasp.org
Subject: Re: [Owasp-guide] Authors -- how goes?

Hi Mike, that was a good catch and it made my task easy :)

But I am still not clear.. Would you mind elaborating what do you mean by 'implied by presentation layer'; doesn't it mean client side implementation of controls, or I am missing something!!

Also I have checked in some content (recycled from previous guide) to the Wiki today. I had added new pages to the Wiki before I looked at your new Wiki structure and thus it may be different from what you had proposed lately. I will change the structure as we go along rather than spending time to amend it again today.

Well, as always, any feedback would be great.

Thanks
Vishal
On Fri, Apr 2, 2010 at 3:09 PM, Boberski, Michael [USA] <boberski_michael at bah.com<mailto:boberski_michael at bah.com>> wrote:
Hi Vishal. You're in luck as they are me, at least 1/3.

The keywords for 4.9 are "implied by the presentation layer", verifiers would investigate what rules might be implied by the presentation layer as a first step and compare them to any controls found on the server side. I would personally for example do the work to verify 4.11 first, then I'd do the work to verify 4.9; ASVS doesn't prescribe how requirements are verified, how one might divvy them up or what approach for each one may take.

Hope this helps,

Best,

Mike B.

There is no "trust but verify" when it comes to application security!
Verify, THEN trust! Read the entire post: Inside Booz Allen<http://hello.bah.com/blogs/index.php/SoftwareAssuranceCoP/2010/04/01/there_is_no_trust_but_verify>, Outside of Booz Allen<http://mikeboberski.blogspot.com/2010/04/there-is-no-trust-but-verify.html>

From: Vishal Garg [mailto:vishalgrg at gmail.com<mailto:vishalgrg at gmail.com>]
Sent: Friday, April 02, 2010 8:31 AM
To: Boberski, Michael [USA]
Cc: owasp-guide at lists.owasp.org<mailto:owasp-guide at lists.owasp.org>
Subject: Re: [Owasp-guide] Authors -- how goes?

Hi Mike,

I am not sure whether I should forward this question to you or to the ASVS people.

I am not clear about the difference between ASVS requirements 4.9 and 4.11.

4.9 - Verify that the same access control rules implied by the presentation layer are enforced on the server side.

4.11 - Verify that all access controls are enforced on the server side.

Maybe the right question to ask would be that why do we have both these requirements in ASVS while only 4.11 would have been sufficient, because all the access control should always be enforced on the server side irrespective of whether it has been implemented on the client side or not.

Regards
Vishal
On Wed, Mar 31, 2010 at 9:42 PM, Tom Stripling <tstripling at appsecconsulting.com<mailto:tstripling at appsecconsulting.com>> wrote:
Mike,

The previous version of the Guide does not match the ASVS outline at *all*.  I will have to do a rewrite in order to get it into a format that matches the ASVS headers.  For now I've just created blank pages and pasted the previous Guide version into the main Input Validation page.  Is that going to work for you?  If not, I'd appreciate your input on how you think that content should be segregated.

Regards,
Tom

From: owasp-guide-bounces at lists.owasp.org<mailto:owasp-guide-bounces at lists.owasp.org> [mailto:owasp-guide-bounces at lists.owasp.org<mailto:owasp-guide-bounces at lists.owasp.org>] On Behalf Of Boberski, Michael [USA]
Sent: Thursday, March 25, 2010 3:14 PM
To: owasp-guide at lists.owasp.org<mailto:owasp-guide at lists.owasp.org>
Subject: [Owasp-guide] Authors -- how goes?

Hi folks,

How goes things with the various sections and worksheets?

Lots of activity actually, looking at SVN logs.

Go ahead, share your good works from this past week with the team.

Best,

Mike B.


_______________________________________________
Owasp-guide mailing list
Owasp-guide at lists.owasp.org<mailto:Owasp-guide at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-guide


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-guide/attachments/20100402/24a71b30/attachment.html 


More information about the Owasp-guide mailing list