[Owasp-guide] Awaiting further guidance for OWASP-0100 Security Architecture

Boberski, Michael [USA] boberski_michael at bah.com
Fri Apr 9 12:30:42 EDT 2010

Hi guys. Please do make sure to first squeeze what you've got now into the latest outline. This applies to all teams. Please do use the ASVS requirements as your roadmap, that will help you bound and scope recycling from the previous guide, basically then doing gap analysis to figure out what new material will need to be written, then writing that. Basically the bulk of this version of the guide should be simply a reshuffle according to ASVS requirements, with some new worksheets, with some new but comparatively brief front matter.


Mike B.

-----Original Message-----
From: owasp-guide-bounces at lists.owasp.org [mailto:owasp-guide-bounces at lists.owasp.org] On Behalf Of Kevin Horvath
Sent: Friday, April 09, 2010 12:26 PM
To: Mike Lewis
Cc: owasp-guide at lists.owasp.org
Subject: Re: [Owasp-guide] Awaiting further guidance for OWASP-0100 Security Architecture

Hi Mike,

First, thanks for taking the effort to clean up the first stab at the
write-up Charlie and I provided.  This section is a little different
from the others as it encompasses the entire Application and its
environment.  So basically its not a deep dive into any one area (such
as input validation for example) but i wanted to make sure i touched
on all areas of importance to application security and its surrounding
environment.  So I wanted to touch on all areas of application design
(logical and phyical placement), supporting security devices (web app
firewalls for example), etc.
I dont believe there is any specific roadmap for our section.  So, I
would recommend starting with what Charlie and I put up on the wiki
and editing, removing things that you dont necessarily agree with,
adding and expanding on areas you think need more information, etc.
The Architecture section could be a book in itself if we deep dived
into every area and some of the areas start boardering on being out of
scope if you go too deep (for example IDS, app firewalls, etc) but
they need to be mentioned.  Basically make of it what you will and add
to it how you see fit.  If you want to just brainstorm and throw out
some ideas to list on how to build off whats currently there, then we
can help.  Let me know what you think of the current content and your
ideas of where you would like to see it go and Charlie and I can help
you write it.


On Fri, Apr 9, 2010 at 11:00 AM, Mike Lewis <m_d_lewis at comcast.net> wrote:
> Mylene and all,
>     I've broken down the Security Architecture section into further chunks,
> and now I am awaiting further instructions on what to do next.
>     I know some of you have worked on OWASP projects in the past and a lot
> of this stuff is intuitively obvious to you, but this is my first one and I
> need a little more handholding and guidance. As you can see by my work
> already, though, if you show me what needs to be done, I'll go out and do it
> a hundred times over. I just need that small push to get going.
>     Mylene, you're supposed to be leading this section, but I haven't heard
> one peep from you. I've gotten some cloudy and conflicting guidance from
> Mike about what to do, but I'm still sort of lost, as he apparently has a
> master vision for this document, but I'm completely blind as to what it is.
> I know Charlie and Kevin have taken a stab at some documentation for the
> section, and I applaud them for their enthusiasm; like them, I want to jump
> in and crank some material out. However, I think we're all confused about
> what exactly our roles here are.
>     I know Mike has a definite vision of how this thing should be set up,
> based on his comments thus far about how the document should be structured.
> I believe that he has shared that vision with Mylene, based on his repeated
> requests for me to coordinate with Mylene. However, that vision has not
> trickled down to me, which is the source of my frustration on this project.
>     I respectfully request some additional guidance from anyone who will
> step up and help show me and guide me and lead me to what exactly I am
> supposed to be doing.
> Sincerely,
> -- Mike Lewis
> _______________________________________________
> Owasp-guide mailing list
> Owasp-guide at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-guide
Owasp-guide mailing list
Owasp-guide at lists.owasp.org

More information about the Owasp-guide mailing list