[Owasp-guide] AUTHOR ACTION REQUIRED -- REVISED OUTLINE (RESEND)

Vishal Garg vishalgrg at gmail.com
Sun Apr 25 11:19:20 EDT 2010


Hi Mike,

I was trying to understand your new structure below today and had few doubts
which I wanted to clarify before making changes to the Wiki.

The new structure would mean that we will have only three top level section
i.e. "Build or Buy", "Worksheets" and "See also".

All the ASVS requirements would go under "Build and Buy" such as OWASP-0501
and OWASP-0502 etc. All the worksheets would go under the section
"Worksheets" and similarly other stuff such as the references and cheat
sheets would go under "See also". (Sorry for repeating, but I wanted to make
sure that I understand it correctly.)

As you said we will be linking stuff under "Worksheet" and "See also"
sections from the "Build or Buy" section. Is there any numbering scheme that
we are going to use under Worksheets and See also sections. For example,
there are nine ASVS requirements under Input validation. If we are going to
have one worksheet per ASVS requirement and one reference document under see
also section, how are we going to number these to make it very obvious to
the reader that which ASVS requirement the worksheet or the reference
document below to.

I am making my suggestion here. Please let me know what you think either
way:

# OWASP-0500 Input Validation

   * Build or buy?
         o OWASP-0502 Verify that a positive validation pattern is defined
and applied to all input.
               + OWASP-0502-DG-01 Define a positive validation pattern for
all input
               + OWASP-0502-DG-02 Apply a positive validation pattern to all
input
         o ...
   * Worksheets
         o OWASP-0502-WS-01  (WS = Worksheet)
         o ...
   * See also
         o OWASP-0502-RD-01  (RD = Reference document)
         o ...

I think having this structure would help the reader to reference each
section pretty quickly without actually reading the contents of the section.

Regards
Vishal

On Mon, Apr 5, 2010 at 7:32 PM, Boberski, Michael [USA] <
boberski_michael at bah.com> wrote:

> Hi,
>
>
> (((((( PLEASE READ BELOW. PLEASE UPDATE YOUR SECTION ACCORDINGLY. NUMBERING
> COP, LITTLE HELP AS WELL FOR E.G. 1300?? I AM GOING TO STOP MY FURTHER
> REVIEWS UNTIL THE OUTLINES ARE UPDATED. ))))))))
>
>
> Here is the revised outline for the detailed sections, using input
> validation as the example, the online version of which has yet to be updated
> accordingly:
>
>
> # OWASP-0500 Input Validation
>
>    * Build or buy?
>          o OWASP-0502 Verify that a positive validation pattern is defined
> and applied to all input.
>                + OWASP-0502-DG-01 Define a positive validation pattern for
> all input
>                + OWASP-0502-DG-02 Apply a positive validation pattern to
> all input
>          o ...
>    * Worksheets
>          o Input validation worksheet
>          o ...
>    * See also
>
>
> For "# OWASP-0500 Input Validation", there shall be a brief explanation
> about what input validation is and examples of related vulnerabilities,
> containing recycled or new content.
>
> For "Build or buy", this shall be the guts of each section, containing
> recycled or new content, according to ASVS requirement and derived guide
> requirement. The reader should be able to determine if available solutions
> are sufficient, whether they'll have to build or buy, after reading through
> this section, that is the "sanity check" that will be performed when
> reviewing this section. Subsections shall refer to any available worksheets
> in the next section.
>
> For "Worksheets", there shall be one or more worksheets per section. This
> will be entirely new content.
>
> For "See also", there shall be references to cheat sheets and other
> sections and OWASP materials as appropriate.
>
> This structure will also allow us to insert a "Sample code" section later
> on, but I do not wish to confuse matters by trying to juggle code and
> content at this point.
>
>
> _______________________________________________
> Owasp-guide mailing list
> Owasp-guide at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-guide
>



-- 
Vishal Garg
Web Security Specialist

Blog: http://www.ethicalhack.co.uk
Twitter: http://www.twitter.com/vishalgrg
Linkedin: http://www.linkedin.com/in/vishalgrg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-guide/attachments/20100425/c31f7a38/attachment.html 


More information about the Owasp-guide mailing list