[Owasp-guide] Authors -- how goes?

Vishal Garg vishalgrg at gmail.com
Fri Apr 2 19:16:04 EDT 2010


Thanks Mike, this is what I thought it was, but still wanted to double
check.

Thanks
Vishal

On Fri, Apr 2, 2010 at 6:14 PM, Boberski, Michael [USA] <
boberski_michael at bah.com> wrote:

>  Check out slide # 16 of this:
> http://www.owasp.org/images/a/a1/AppSec_DC_2009_-_OWASP_Top_10_-_2010_rc1.pptx
>
>
>
> Best,
>
>
>
> Mike B.
>
>
>
> There is no "trust but verify" when it comes to application security!
>
> Verify, THEN trust! Read the entire post: Inside Booz Allen<http://hello.bah.com/blogs/index.php/SoftwareAssuranceCoP/2010/04/01/there_is_no_trust_but_verify>,
> Outside of Booz Allen<http://mikeboberski.blogspot.com/2010/04/there-is-no-trust-but-verify.html>
>
>
>
> *From:* Vishal Garg [mailto:vishalgrg at gmail.com]
> *Sent:* Friday, April 02, 2010 11:40 AM
>
> *To:* Boberski, Michael [USA]
> *Cc:* owasp-guide at lists.owasp.org
> *Subject:* Re: [Owasp-guide] Authors -- how goes?
>
>
>
> Hi Mike, that was a good catch and it made my task easy :)
>
> But I am still not clear.. Would you mind elaborating what do you mean by
> 'implied by presentation layer'; doesn't it mean client side implementation
> of controls, or I am missing something!!
>
> Also I have checked in some content (recycled from previous guide) to the
> Wiki today. I had added new pages to the Wiki before I looked at your new
> Wiki structure and thus it may be different from what you had proposed
> lately. I will change the structure as we go along rather than spending time
> to amend it again today.
>
> Well, as always, any feedback would be great.
>
> Thanks
> Vishal
>
> On Fri, Apr 2, 2010 at 3:09 PM, Boberski, Michael [USA] <
> boberski_michael at bah.com> wrote:
>
> Hi Vishal. You’re in luck as they are me, at least 1/3.
>
>
>
> The keywords for 4.9 are “implied by the presentation layer”, verifiers
> would investigate what rules might be implied by the presentation layer as a
> first step and compare them to any controls found on the server side. I
> would personally for example do the work to verify 4.11 first, then I’d do
> the work to verify 4.9; ASVS doesn’t prescribe how requirements are
> verified, how one might divvy them up or what approach for each one may
> take.
>
>
>
> Hope this helps,
>
>
>
> Best,
>
>
>
> Mike B.
>
>
>
> There is no "trust but verify" when it comes to application security!
>
> Verify, THEN trust! Read the entire post: Inside Booz Allen<http://hello.bah.com/blogs/index.php/SoftwareAssuranceCoP/2010/04/01/there_is_no_trust_but_verify>,
> Outside of Booz Allen<http://mikeboberski.blogspot.com/2010/04/there-is-no-trust-but-verify.html>
>
>
>
> *From:* Vishal Garg [mailto:vishalgrg at gmail.com]
> *Sent:* Friday, April 02, 2010 8:31 AM
> *To:* Boberski, Michael [USA]
> *Cc:* owasp-guide at lists.owasp.org
> *Subject:* Re: [Owasp-guide] Authors -- how goes?
>
>
>
> Hi Mike,
>
> I am not sure whether I should forward this question to you or to the ASVS
> people.
>
> I am not clear about the difference between ASVS requirements 4.9 and 4.11.
>
> 4.9 - Verify that the same access control rules implied by the presentation
> layer are enforced on the server side.
>
> 4.11 - Verify that all access controls are enforced on the server side.
>
> Maybe the right question to ask would be that why do we have both these
> requirements in ASVS while only 4.11 would have been sufficient, because all
> the access control should always be enforced on the server side irrespective
> of whether it has been implemented on the client side or not.
>
> Regards
> Vishal
>
> On Wed, Mar 31, 2010 at 9:42 PM, Tom Stripling <
> tstripling at appsecconsulting.com> wrote:
>
> Mike,
>
>
>
> The previous version of the Guide does not match the ASVS outline at **all
> **.  I will have to do a rewrite in order to get it into a format that
> matches the ASVS headers.  For now I’ve just created blank pages and pasted
> the previous Guide version into the main Input Validation page.  Is that
> going to work for you?  If not, I’d appreciate your input on how you think
> that content should be segregated.
>
>
>
> Regards,
>
> Tom
>
>
>
> *From:* owasp-guide-bounces at lists.owasp.org [mailto:
> owasp-guide-bounces at lists.owasp.org] *On Behalf Of *Boberski, Michael
> [USA]
> *Sent:* Thursday, March 25, 2010 3:14 PM
> *To:* owasp-guide at lists.owasp.org
> *Subject:* [Owasp-guide] Authors -- how goes?
>
>
>
> Hi folks,
>
>
>
> How goes things with the various sections and worksheets?
>
>
>
> Lots of activity actually, looking at SVN logs.
>
>
>
> Go ahead, share your good works from this past week with the team.
>
>
>
> Best,
>
>
>
> Mike B.
>
>
>
>
> _______________________________________________
> Owasp-guide mailing list
> Owasp-guide at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-guide
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-guide/attachments/20100403/2857bff7/attachment-0001.html 


More information about the Owasp-guide mailing list