[Owasp-guide] AUTHOR ACTION REQUIRED -- REVISED OUTLINE (RESEND)

Vishal Garg vishalgrg at gmail.com
Sun Apr 25 12:50:28 EDT 2010


Hi Mike,

Thanks for your reply. I have now made changes to the Wiki. Could you please
have a look and see if it looks alright?

Thanks
Vishal

On Sun, Apr 25, 2010 at 5:14 PM, Mike Boberski <mike.boberski at gmail.com>wrote:

> I think, that over-complicates things.
>
> I'm shooting for the low-bar at this point of re-sorting the previous guide
> into an asvs-based outline, adding some worksheets, and adding some front
> matter.
>
> Mike
>
>
>
> On Sun, Apr 25, 2010 at 11:19 AM, Vishal Garg <vishalgrg at gmail.com> wrote:
>
>> Hi Mike,
>>
>> I was trying to understand your new structure below today and had few
>> doubts which I wanted to clarify before making changes to the Wiki.
>>
>> The new structure would mean that we will have only three top level
>> section i.e. "Build or Buy", "Worksheets" and "See also".
>>
>> All the ASVS requirements would go under "Build and Buy" such as
>> OWASP-0501 and OWASP-0502 etc. All the worksheets would go under the section
>> "Worksheets" and similarly other stuff such as the references and cheat
>> sheets would go under "See also". (Sorry for repeating, but I wanted to make
>> sure that I understand it correctly.)
>>
>> As you said we will be linking stuff under "Worksheet" and "See also"
>> sections from the "Build or Buy" section. Is there any numbering scheme that
>> we are going to use under Worksheets and See also sections. For example,
>> there are nine ASVS requirements under Input validation. If we are going to
>> have one worksheet per ASVS requirement and one reference document under see
>> also section, how are we going to number these to make it very obvious to
>> the reader that which ASVS requirement the worksheet or the reference
>> document below to.
>>
>> I am making my suggestion here. Please let me know what you think either
>> way:
>>
>> # OWASP-0500 Input Validation
>>
>>    * Build or buy?
>>          o OWASP-0502 Verify that a positive validation pattern is
>> defined and applied to all input.
>>                + OWASP-0502-DG-01 Define a positive validation pattern
>> for all input
>>                + OWASP-0502-DG-02 Apply a positive validation pattern to
>> all input
>>          o ...
>>    * Worksheets
>>          o OWASP-0502-WS-01  (WS = Worksheet)
>>           o ...
>>    * See also
>>          o OWASP-0502-RD-01  (RD = Reference document)
>>          o ...
>>
>> I think having this structure would help the reader to reference each
>> section pretty quickly without actually reading the contents of the section.
>>
>> Regards
>> Vishal
>>
>> On Mon, Apr 5, 2010 at 7:32 PM, Boberski, Michael [USA] <
>> boberski_michael at bah.com> wrote:
>>
>>> Hi,
>>>
>>>
>>> (((((( PLEASE READ BELOW. PLEASE UPDATE YOUR SECTION ACCORDINGLY.
>>> NUMBERING COP, LITTLE HELP AS WELL FOR E.G. 1300?? I AM GOING TO STOP MY
>>> FURTHER REVIEWS UNTIL THE OUTLINES ARE UPDATED. ))))))))
>>>
>>>
>>> Here is the revised outline for the detailed sections, using input
>>> validation as the example, the online version of which has yet to be updated
>>> accordingly:
>>>
>>>
>>> # OWASP-0500 Input Validation
>>>
>>>    * Build or buy?
>>>          o OWASP-0502 Verify that a positive validation pattern is
>>> defined and applied to all input.
>>>                + OWASP-0502-DG-01 Define a positive validation pattern
>>> for all input
>>>                + OWASP-0502-DG-02 Apply a positive validation pattern to
>>> all input
>>>          o ...
>>>    * Worksheets
>>>          o Input validation worksheet
>>>          o ...
>>>    * See also
>>>
>>>
>>> For "# OWASP-0500 Input Validation", there shall be a brief explanation
>>> about what input validation is and examples of related vulnerabilities,
>>> containing recycled or new content.
>>>
>>> For "Build or buy", this shall be the guts of each section, containing
>>> recycled or new content, according to ASVS requirement and derived guide
>>> requirement. The reader should be able to determine if available solutions
>>> are sufficient, whether they'll have to build or buy, after reading through
>>> this section, that is the "sanity check" that will be performed when
>>> reviewing this section. Subsections shall refer to any available worksheets
>>> in the next section.
>>>
>>> For "Worksheets", there shall be one or more worksheets per section. This
>>> will be entirely new content.
>>>
>>> For "See also", there shall be references to cheat sheets and other
>>> sections and OWASP materials as appropriate.
>>>
>>> This structure will also allow us to insert a "Sample code" section later
>>> on, but I do not wish to confuse matters by trying to juggle code and
>>> content at this point.
>>>
>>>
>>> _______________________________________________
>>> Owasp-guide mailing list
>>> Owasp-guide at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-guide
>>>
>>
>>
>>
>> --
>> Vishal Garg
>> Web Security Specialist
>>
>> Blog: http://www.ethicalhack.co.uk
>> Twitter: http://www.twitter.com/vishalgrg
>> Linkedin: http://www.linkedin.com/in/vishalgrg
>>
>> _______________________________________________
>> Owasp-guide mailing list
>> Owasp-guide at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-guide
>>
>>
>


-- 
Vishal Garg
Web Security Specialist

Blog: http://www.ethicalhack.co.uk
Twitter: http://www.twitter.com/vishalgrg
Linkedin: http://www.linkedin.com/in/vishalgrg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-guide/attachments/20100425/ba1c15af/attachment-0001.html 


More information about the Owasp-guide mailing list