[Owasp-guide] AUTHOR ACTION REQUIRED -- REVISED OUTLINE (RESEND)

Mike Boberski mike.boberski at gmail.com
Sun Apr 25 12:14:43 EDT 2010


I think, that over-complicates things.

I'm shooting for the low-bar at this point of re-sorting the previous guide
into an asvs-based outline, adding some worksheets, and adding some front
matter.

Mike


On Sun, Apr 25, 2010 at 11:19 AM, Vishal Garg <vishalgrg at gmail.com> wrote:

> Hi Mike,
>
> I was trying to understand your new structure below today and had few
> doubts which I wanted to clarify before making changes to the Wiki.
>
> The new structure would mean that we will have only three top level section
> i.e. "Build or Buy", "Worksheets" and "See also".
>
> All the ASVS requirements would go under "Build and Buy" such as OWASP-0501
> and OWASP-0502 etc. All the worksheets would go under the section
> "Worksheets" and similarly other stuff such as the references and cheat
> sheets would go under "See also". (Sorry for repeating, but I wanted to make
> sure that I understand it correctly.)
>
> As you said we will be linking stuff under "Worksheet" and "See also"
> sections from the "Build or Buy" section. Is there any numbering scheme that
> we are going to use under Worksheets and See also sections. For example,
> there are nine ASVS requirements under Input validation. If we are going to
> have one worksheet per ASVS requirement and one reference document under see
> also section, how are we going to number these to make it very obvious to
> the reader that which ASVS requirement the worksheet or the reference
> document below to.
>
> I am making my suggestion here. Please let me know what you think either
> way:
>
> # OWASP-0500 Input Validation
>
>    * Build or buy?
>          o OWASP-0502 Verify that a positive validation pattern is defined
> and applied to all input.
>                + OWASP-0502-DG-01 Define a positive validation pattern for
> all input
>                + OWASP-0502-DG-02 Apply a positive validation pattern to
> all input
>          o ...
>    * Worksheets
>          o OWASP-0502-WS-01  (WS = Worksheet)
>           o ...
>    * See also
>          o OWASP-0502-RD-01  (RD = Reference document)
>          o ...
>
> I think having this structure would help the reader to reference each
> section pretty quickly without actually reading the contents of the section.
>
> Regards
> Vishal
>
> On Mon, Apr 5, 2010 at 7:32 PM, Boberski, Michael [USA] <
> boberski_michael at bah.com> wrote:
>
>> Hi,
>>
>>
>> (((((( PLEASE READ BELOW. PLEASE UPDATE YOUR SECTION ACCORDINGLY.
>> NUMBERING COP, LITTLE HELP AS WELL FOR E.G. 1300?? I AM GOING TO STOP MY
>> FURTHER REVIEWS UNTIL THE OUTLINES ARE UPDATED. ))))))))
>>
>>
>> Here is the revised outline for the detailed sections, using input
>> validation as the example, the online version of which has yet to be updated
>> accordingly:
>>
>>
>> # OWASP-0500 Input Validation
>>
>>    * Build or buy?
>>          o OWASP-0502 Verify that a positive validation pattern is defined
>> and applied to all input.
>>                + OWASP-0502-DG-01 Define a positive validation pattern for
>> all input
>>                + OWASP-0502-DG-02 Apply a positive validation pattern to
>> all input
>>          o ...
>>    * Worksheets
>>          o Input validation worksheet
>>          o ...
>>    * See also
>>
>>
>> For "# OWASP-0500 Input Validation", there shall be a brief explanation
>> about what input validation is and examples of related vulnerabilities,
>> containing recycled or new content.
>>
>> For "Build or buy", this shall be the guts of each section, containing
>> recycled or new content, according to ASVS requirement and derived guide
>> requirement. The reader should be able to determine if available solutions
>> are sufficient, whether they'll have to build or buy, after reading through
>> this section, that is the "sanity check" that will be performed when
>> reviewing this section. Subsections shall refer to any available worksheets
>> in the next section.
>>
>> For "Worksheets", there shall be one or more worksheets per section. This
>> will be entirely new content.
>>
>> For "See also", there shall be references to cheat sheets and other
>> sections and OWASP materials as appropriate.
>>
>> This structure will also allow us to insert a "Sample code" section later
>> on, but I do not wish to confuse matters by trying to juggle code and
>> content at this point.
>>
>>
>> _______________________________________________
>> Owasp-guide mailing list
>> Owasp-guide at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-guide
>>
>
>
>
> --
> Vishal Garg
> Web Security Specialist
>
> Blog: http://www.ethicalhack.co.uk
> Twitter: http://www.twitter.com/vishalgrg
> Linkedin: http://www.linkedin.com/in/vishalgrg
>
> _______________________________________________
> Owasp-guide mailing list
> Owasp-guide at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-guide
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-guide/attachments/20100425/f5b56a03/attachment.html 


More information about the Owasp-guide mailing list