[Owasp-guide] AUTHOR ACTION REQUIRED -- REVISED OUTLINE (RESEND)

Boberski, Michael [USA] boberski_michael at bah.com
Mon Apr 19 13:30:35 EDT 2010


Hi Tom, thanks for checking in. No worries on any delay.

Yes, that's the upshot for the outline. 

I don't want the TOC to immediately expand down the page with a million sections. The benefit is if someone knows what worksheet they want for example, they don't have to dig for it. I'm open to revisiting what we call the top-level section "Build or buy?" later on.

Best,

Mike B.


-----Original Message-----
From: Tom Stripling [mailto:tstripling at appsecconsulting.com] 
Sent: Monday, April 19, 2010 12:22 PM
To: Boberski, Michael [USA]; owasp-guide at lists.owasp.org
Subject: RE: [Owasp-guide] AUTHOR ACTION REQUIRED -- REVISED OUTLINE (RESEND)

Right, so it turns out that when you mess up a Gmail filter, you end up
dumping everything straight into the archive instead of the folder where you
thought it was going.  I haven't gotten any of these emails in the past 3
weeks.  I thought the list was rather quiet...

I'm going to get on this now, but I want to understand it better to make
sure I get it right.  You're saying the top-level outline should be "Build
or buy?" and then each subsection?  That seems somewhat unnecessary to me.
Why not just have "worksheets" and "see also" be peers to each subsection
(e.g. OWASP-0502):

# OWASP-0500 Input Validation

    * OWASP-0502 Verify that a positive validation pattern is defined and
applied to all input.
          o OWASP-0502-DG-01 Define a positive validation pattern for all
input
          o OWASP-0502-DG-02 Apply a positive validation pattern to all
input
          o ...
    * Worksheets
          o Input validation worksheet
          o ...
    * See also


Also, am I correct in understanding that this would mean we could
potentially have a single worksheet for an entire section?

Thanks and sorry again for the delay.

Tom


-----Original Message-----
From: owasp-guide-bounces at lists.owasp.org
[mailto:owasp-guide-bounces at lists.owasp.org] On Behalf Of Boberski, Michael
[USA]
Sent: Monday, April 05, 2010 1:32 PM
To: owasp-guide at lists.owasp.org
Subject: [Owasp-guide] AUTHOR ACTION REQUIRED -- REVISED OUTLINE (RESEND)

Hi,


(((((( PLEASE READ BELOW. PLEASE UPDATE YOUR SECTION ACCORDINGLY. NUMBERING
COP, LITTLE HELP AS WELL FOR E.G. 1300?? I AM GOING TO STOP MY FURTHER
REVIEWS UNTIL THE OUTLINES ARE UPDATED. ))))))))


Here is the revised outline for the detailed sections, using input
validation as the example, the online version of which has yet to be updated
accordingly:


# OWASP-0500 Input Validation

    * Build or buy?
          o OWASP-0502 Verify that a positive validation pattern is defined
and applied to all input.
                + OWASP-0502-DG-01 Define a positive validation pattern for
all input
                + OWASP-0502-DG-02 Apply a positive validation pattern to
all input
          o ...
    * Worksheets
          o Input validation worksheet
          o ...
    * See also


For "# OWASP-0500 Input Validation", there shall be a brief explanation
about what input validation is and examples of related vulnerabilities,
containing recycled or new content.

For "Build or buy", this shall be the guts of each section, containing
recycled or new content, according to ASVS requirement and derived guide
requirement. The reader should be able to determine if available solutions
are sufficient, whether they'll have to build or buy, after reading through
this section, that is the "sanity check" that will be performed when
reviewing this section. Subsections shall refer to any available worksheets
in the next section.

For "Worksheets", there shall be one or more worksheets per section. This
will be entirely new content.

For "See also", there shall be references to cheat sheets and other sections
and OWASP materials as appropriate. 

This structure will also allow us to insert a "Sample code" section later
on, but I do not wish to confuse matters by trying to juggle code and
content at this point.


_______________________________________________
Owasp-guide mailing list
Owasp-guide at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-guide



More information about the Owasp-guide mailing list