[Owasp-guide] review of current access control outline
Boberski, Michael [USA]
boberski_michael at bah.com
Fri Apr 2 16:17:07 EDT 2010
Hi Vishal. Looking at your latest... Thank you for your hard work by the way...
Can you further sort access control sections according to the latest/greatest outline below (per email "[Owasp-guide] Further revised dev guide outline", Thu 4/1/2010 8:57 AM)?
Thanks in advance,
Here is the revised outline for the detailed sections, using input validation as the example, the online version of which has yet to be updated accordingly:
# OWASP-0500 Input Validation
* Build or buy?
o OWASP-0501 Verify that the runtime environment is not susceptible to buffer overflows, or that security controls prevent buffer overflows
+ OWASP-0501-DG-01 Define a positive validation pattern for all input
+ OWASP-0501-DG-02 Apply a positive validation pattern to all input
o Input validation worksheet
* See also
For "# OWASP-0500 Input Validation", there shall be a brief explanation about what input validation is and examples of related vulnerabilities, containing recycled or new content.
For "Build or buy", this shall be the guts of each section, containing recycled or new content, according to ASVS requirement and derived guide requirement. The reader should be able to determine if available solutions are sufficient, whether they'll have to build or buy, after reading through this section, that is the "sanity check" that will be performed when reviewing this section. Subsections shall refer to any available worksheets in the next section.
For "Worksheets", there shall be one or more worksheets per section. This will be entirely new content.
For "See also", there shall be references to cheat sheets and other sections and OWASP materials as appropriate.
This structure will also allow us to insert a "Sample code" section later on, but I do not wish to confuse matters by trying to juggle code and content at this point.
More information about the Owasp-guide