[Owasp-guide] AUTHOR ACTION REQUIRED -- REVISED OUTLINE (RESEND)

Boberski, Michael [USA] boberski_michael at bah.com
Mon Apr 26 13:17:12 EDT 2010


Vishal, 0400's looking good!! Team, check it out here: http://code.google.com/p/owasp-development-guide/wiki/WebAppSecDesignGuide_D4 The outline and numbering look right, the breaking of ASVS requirement into individual dev guide steps, all good.

Format #1 for the worksheet here: http://owasp-development-guide.googlecode.com/svn/trunk/worksheets/Access-Control-Worksheet-Format-1.doc  let's go with that. The worksheets should be sufficiently clear that they lend themselves towards creating more complicated, application-specific spreadsheets and such.

Thank you for your hard work. Keep going! :)

Best,

Mike B.

From: Vishal Garg [mailto:vishalgrg at gmail.com]
Sent: Sunday, April 25, 2010 12:50 PM
To: mike.boberski at gmail.com
Cc: Boberski, Michael [USA]; owasp-guide at lists.owasp.org
Subject: Re: [Owasp-guide] AUTHOR ACTION REQUIRED -- REVISED OUTLINE (RESEND)

Hi Mike,

Thanks for your reply. I have now made changes to the Wiki. Could you please have a look and see if it looks alright?

Thanks
Vishal
On Sun, Apr 25, 2010 at 5:14 PM, Mike Boberski <mike.boberski at gmail.com<mailto:mike.boberski at gmail.com>> wrote:
I think, that over-complicates things.

I'm shooting for the low-bar at this point of re-sorting the previous guide into an asvs-based outline, adding some worksheets, and adding some front matter.

Mike


On Sun, Apr 25, 2010 at 11:19 AM, Vishal Garg <vishalgrg at gmail.com<mailto:vishalgrg at gmail.com>> wrote:
Hi Mike,

I was trying to understand your new structure below today and had few doubts which I wanted to clarify before making changes to the Wiki.

The new structure would mean that we will have only three top level section i.e. "Build or Buy", "Worksheets" and "See also".

All the ASVS requirements would go under "Build and Buy" such as OWASP-0501 and OWASP-0502 etc. All the worksheets would go under the section "Worksheets" and similarly other stuff such as the references and cheat sheets would go under "See also". (Sorry for repeating, but I wanted to make sure that I understand it correctly.)

As you said we will be linking stuff under "Worksheet" and "See also" sections from the "Build or Buy" section. Is there any numbering scheme that we are going to use under Worksheets and See also sections. For example, there are nine ASVS requirements under Input validation. If we are going to have one worksheet per ASVS requirement and one reference document under see also section, how are we going to number these to make it very obvious to the reader that which ASVS requirement the worksheet or the reference document below to.

I am making my suggestion here. Please let me know what you think either way:

# OWASP-0500 Input Validation

   * Build or buy?
         o OWASP-0502 Verify that a positive validation pattern is defined and applied to all input.
               + OWASP-0502-DG-01 Define a positive validation pattern for all input
               + OWASP-0502-DG-02 Apply a positive validation pattern to all input
         o ...
   * Worksheets
         o OWASP-0502-WS-01  (WS = Worksheet)
         o ...
   * See also
         o OWASP-0502-RD-01  (RD = Reference document)
         o ...

I think having this structure would help the reader to reference each section pretty quickly without actually reading the contents of the section.

Regards
Vishal
On Mon, Apr 5, 2010 at 7:32 PM, Boberski, Michael [USA] <boberski_michael at bah.com<mailto:boberski_michael at bah.com>> wrote:
Hi,


(((((( PLEASE READ BELOW. PLEASE UPDATE YOUR SECTION ACCORDINGLY. NUMBERING COP, LITTLE HELP AS WELL FOR E.G. 1300?? I AM GOING TO STOP MY FURTHER REVIEWS UNTIL THE OUTLINES ARE UPDATED. ))))))))


Here is the revised outline for the detailed sections, using input validation as the example, the online version of which has yet to be updated accordingly:


# OWASP-0500 Input Validation

   * Build or buy?
         o OWASP-0502 Verify that a positive validation pattern is defined and applied to all input.
               + OWASP-0502-DG-01 Define a positive validation pattern for all input
               + OWASP-0502-DG-02 Apply a positive validation pattern to all input
         o ...
   * Worksheets
         o Input validation worksheet
         o ...
   * See also


For "# OWASP-0500 Input Validation", there shall be a brief explanation about what input validation is and examples of related vulnerabilities, containing recycled or new content.

For "Build or buy", this shall be the guts of each section, containing recycled or new content, according to ASVS requirement and derived guide requirement. The reader should be able to determine if available solutions are sufficient, whether they'll have to build or buy, after reading through this section, that is the "sanity check" that will be performed when reviewing this section. Subsections shall refer to any available worksheets in the next section.

For "Worksheets", there shall be one or more worksheets per section. This will be entirely new content.

For "See also", there shall be references to cheat sheets and other sections and OWASP materials as appropriate.

This structure will also allow us to insert a "Sample code" section later on, but I do not wish to confuse matters by trying to juggle code and content at this point.


_______________________________________________
Owasp-guide mailing list
Owasp-guide at lists.owasp.org<mailto:Owasp-guide at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-guide



--
Vishal Garg
Web Security Specialist

Blog: http://www.ethicalhack.co.uk
Twitter: http://www.twitter.com/vishalgrg
Linkedin: http://www.linkedin.com/in/vishalgrg

_______________________________________________
Owasp-guide mailing list
Owasp-guide at lists.owasp.org<mailto:Owasp-guide at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-guide




--
Vishal Garg
Web Security Specialist

Blog: http://www.ethicalhack.co.uk
Twitter: http://www.twitter.com/vishalgrg
Linkedin: http://www.linkedin.com/in/vishalgrg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-guide/attachments/20100426/d131bf1e/attachment.html 


More information about the Owasp-guide mailing list