[Owasp-guide] Help out with OWASP Development Guide?

Boberski, Michael [USA] boberski_michael at bah.com
Tue Apr 6 08:31:53 EDT 2010


Hi Bob. Done, assignment made: http://code.google.com/p/owasp-development-guide/wiki/ProjectManagement_Assignments

Basically what we want to do is to re-sort the previous guide according to ASVS requirements, add some worksheets to help people get started collecting information in order to then act on guide guidance, and add some front matter, that's basically all we're shooting for, other than to fill in some gaps w.r.t. previous guide content and also ASVS requirements, in anticipation of a next revision of that document.

Please reach out to Kevin to coordinate, copied, but yes, that would be a fine first step, to create the wiki pages in order to rough in the outline/TOC, per this guidance, from earlier emails:


Here is the revised outline for the detailed sections, using input validation as the example, the online version of which has yet to be updated accordingly:





# OWASP-0500 Input Validation



    * Build or buy?

          o OWASP-0502 Verify that a positive validation pattern is defined and applied to all input.

                + OWASP-0502-DG-01 Define a positive validation pattern for all input

                + OWASP-0502-DG-02 Apply a positive validation pattern to all input

          o ...

    * Worksheets

          o Input validation worksheet

          o ...

    * See also





For "# OWASP-0500 Input Validation", there shall be a brief explanation about what input validation is and examples of related vulnerabilities, containing recycled or new content.



For "Build or buy", this shall be the guts of each section, containing recycled or new content, according to ASVS requirement and derived guide requirement. The reader should be able to determine if available solutions are sufficient, whether they'll have to build or buy, after reading through this section, that is the "sanity check" that will be performed when reviewing this section. Subsections shall refer to any available worksheets in the next section.



For "Worksheets", there shall be one or more worksheets per section. This will be entirely new content.



For "See also", there shall be references to cheat sheets and other sections and OWASP materials as appropriate.



This structure will also allow us to insert a "Sample code" section later on, but I do not wish to confuse matters by trying to juggle code and content at this point.



Best,

Mike B.

There is no "trust but verify" when it comes to application security!
Verify, THEN trust! Read the entire post: Inside Booz Allen<http://hello.bah.com/blogs/index.php/SoftwareAssuranceCoP/2010/04/01/there_is_no_trust_but_verify>, Outside of Booz Allen<http://mikeboberski.blogspot.com/2010/04/there-is-no-trust-but-verify.html>

From: Robert Casazza [mailto:rcasazza at gmail.com]
Sent: Monday, April 05, 2010 9:09 PM
To: Boberski, Michael [USA]
Subject: Re: Help out with OWASP Development Guide?


Sounds good Mike.

I'd be interested in working on the Cryptography section...

So I understand.. for now we're looking to recycle sections with new numbering from the current 2005 guide, correct? So I should go through that and set up sections in the wiki?

Bob



On Mon, Apr 5, 2010 at 3:00 PM, Boberski, Michael [USA] <boberski_michael at bah.com<mailto:boberski_michael at bah.com>> wrote:
Hi again Bob. The main requirement for contributing to the project is a desire to learn and to participate. I will provide guidance to people who reach out and who participate.
 Is there any particular area you'd be interested in working on? Here are the current assignments: http://code.google.com/p/owasp-development-guide/wiki/ProjectManagement_Assignments

For example, the task across all of the sections that people are working on right this moment is to fill in a prescribed outline that we've iteratively refined, and go searching for previous guide materials to recycle, just to collect it up. The idea is that this is being worked in an Agile-like manner, i.e. iteratively and incrementally.

Best,

Mike B.

There is no "trust but verify" when it comes to application security!
Verify, THEN trust! Read the entire post: Inside Booz Allen<http://hello.bah.com/blogs/index.php/SoftwareAssuranceCoP/2010/04/01/there_is_no_trust_but_verify>, Outside of Booz Allen<http://mikeboberski.blogspot.com/2010/04/there-is-no-trust-but-verify.html>
---------- Forwarded message ----------
From: Mike Boberski <mike.boberski at gmail.com<mailto:mike.boberski at gmail.com>>
Date: Sat, Apr 3, 2010 at 11:33 AM
Subject: Re: Help out with OWASP Development Guide?
To: Robert Casazza <rcasazza at gmail.com<mailto:rcasazza at gmail.com>>
Hi Bob, thanks for the note. Always looking for volunteers. I'll write more on Monday.

Best,

Mike
On Fri, Apr 2, 2010 at 9:56 PM, Robert Casazza <rcasazza at gmail.com<mailto:rcasazza at gmail.com>> wrote:

Hi Mike,

Not sure if it's too late to get involved, but I'd like to help out with the upcoming development guide.

I've been in software development for 20 years, I am currently VP and Chief Software Architect for Diversified Investment Advisors.

I am NOT a security expert... but maybe I can help out anyway.

Let me know...

Thanks,
Bob




-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-guide/attachments/20100406/e9cabb26/attachment-0001.html 


More information about the Owasp-guide mailing list