[Owasp-guide] Owasp-guide Digest, Vol 30, Issue 13

vinoth sivasubramanian vinoth.sivasubramanian at gmail.com
Sat Dec 18 00:21:23 EST 2010


Hi Vishal and Anurag

I am actively working and committed to the malicious code part.

Thanks and Regards

Vinoth

On Sat, Dec 18, 2010 at 5:08 AM, <owasp-guide-request at lists.owasp.org>wrote:

> Send Owasp-guide mailing list submissions to
>        owasp-guide at lists.owasp.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://lists.owasp.org/mailman/listinfo/owasp-guide
> or, via email, send a message with subject or body 'help' to
>        owasp-guide-request at lists.owasp.org
>
> You can reach the person managing the list at
>        owasp-guide-owner at lists.owasp.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Owasp-guide digest..."
>
>
> Today's Topics:
>
>   1. Re: Owasp-guide Digest, Vol 30, Issue 12 (Koen Machilsen)
>   2. Re: Owasp-guide Digest, Vol 30, Issue 1 (Abe)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 17 Dec 2010 22:03:47 +0100
> From: Koen Machilsen <koen.machilsen at skynet.be>
> Subject: Re: [Owasp-guide] Owasp-guide Digest, Vol 30, Issue 12
> To: owasp-guide at lists.owasp.org
> Message-ID: <4D0BD033.2090702 at skynet.be>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Vishal,
>
> I'm still willing to contribute to the level assigned. Due to time
> limitations I prefer not to have a lead role assigned.
>
> Koen
>
> Op 17/12/2010 18:00, owasp-guide-request at lists.owasp.org schreef:
> > Send Owasp-guide mailing list submissions to
> >       owasp-guide at lists.owasp.org
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> >       https://lists.owasp.org/mailman/listinfo/owasp-guide
> > or, via email, send a message with subject or body 'help' to
> >       owasp-guide-request at lists.owasp.org
> >
> > You can reach the person managing the list at
> >       owasp-guide-owner at lists.owasp.org
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Owasp-guide digest..."
> >
> >
> > Today's Topics:
> >
> >     1. Re: Contributions to OWASP Development Guide (Vishal Garg)
> >
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Fri, 17 Dec 2010 14:01:36 +0000
> > From: Vishal Garg<vishalgrg at gmail.com>
> > Subject: Re: [Owasp-guide] Contributions to OWASP Development Guide
> > To: owasp-guide at lists.owasp.org
> > Message-ID:
> >       <AANLkTincijZu6_QOSLRTk+f8kns=mfrhnwZ0nHvtJQ6L at mail.gmail.com>
> > Content-Type: text/plain; charset="iso-8859-1"
> >
> > Hi All,
> >
> > If you have not responded to my earlier email below yet, you still have
> one
> > day to respond to let us know of you interest to contribute to the
> > development guide. After this, we would be going to take off the names of
> > people who have not responded and make another call for volunteers who
> might
> > be willing to contribute to the guide.
> >
> > Many thanks for your cooperation and for your time to contribute to the
> > development guide.
> >
> > Regards
> > Vishal
> >
> >
> > On Mon, Dec 13, 2010 at 11:05 PM, Vishal Garg<vishalgrg at gmail.com>
>  wrote:
> >
> >
> >> Hi All,
> >>
> >> Only half of the people have responded to my email below. Could rest of
> you
> >> who have not responded yet, reply to this email to let us know of your
> >> interest asap so that we could update our records accordingly.
> >>
> >> I would appreciate if you could respond by the end of this week (18/12).
> If
> >> your response is not received by this date, your name could be removed
> from
> >> the list of contributors, to reflect the actual number of people who are
> >> contributing to the guide.
> >>
> >> Regards
> >> Vishal
> >>
> >> On Thu, Dec 2, 2010 at 9:14 PM, Vishal Garg<vishalgrg at gmail.com>
>  wrote:
> >>
> >>
> >>> Hi,
> >>>
> >>> Thanks to the contributions made by all the volunteers of the new OWASP
> >>> Development Guide, the new version of the guide has made much progress
> since
> >>> its beginning earlier this year. Although it may appear that the
> progress
> >>> has slowed down a bit lately, but a lot is going on in the background
> and
> >>> both me and Anurag had been discussing about the guide very
> enthusiastically
> >>> in the last few weeks. We are also working with other guide leaders to
> bring
> >>> all the guides at the same platform where all these guides could be
> >>> cross-referenced by the end users. More details about this would appear
> on
> >>> the mailing list shortly.
> >>>
> >>> We very much appreciate your contributions to the guide and hope that
> you
> >>> would be able to contribute further to bring the guide in its final
> shape.
> >>> We will be releasing more information about our future plans on the
> mailing
> >>> list very shortly and hoping to interact with the contributors on a
> more
> >>> regular basis. I would appreciate if you could let me know about your
> >>> current situation and if you would be able to continue contributing
> further
> >>> to the dev guide.
> >>>
> >>> Please reply to this email by 12th December to confirm about your
> status
> >>> so that we can update the contributors list accordingly.
> >>>
> >>> Thanks for your cooperation and all your contributions to the OWASP
> >>> Development Guide
> >>>
> >>> Regards
> >>> Vishal
> >>>
> >>>
> >>>
> >>>
> >>
> >> --
> >> Vishal Garg
> >>
> >> Linkedin: http://www.linkedin.com/in/vishalgrg
> >> Twitter: http://www.twitter.com/vishalgrg
> >>
> >>
> >>
> >
> >
>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 17 Dec 2010 16:09:28 -0800
> From: "Abe" <abek1 at comcast.net>
> Subject: Re: [Owasp-guide] Owasp-guide Digest, Vol 30, Issue 1
> To: "'Vishal Garg'" <vishalgrg at gmail.com>
> Cc: owasp-guide at lists.owasp.org
> Message-ID: <[email protected]>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi Vishal,
>
>
>
> I put the old content back.
>
>
>
> The chapter that I wrote is underneath for reference.
>
>
>
>
>
> Regards,
>
> Abe
>
>
>
> From: Vishal Garg [mailto:vishalgrg at gmail.com]
> Sent: Wednesday, December 15, 2010 12:02 AM
> To: Abe
> Cc: Theo Van Niekerk; owasp-guide at lists.owasp.org
> Subject: Re: [Owasp-guide] Owasp-guide Digest, Vol 30, Issue 1
>
>
>
> Hi Abe,
>
> Please see my comments inline below:
>
> Regards
> Vishal
>
> On Tue, Dec 14, 2010 at 7:45 AM, Abe <abek1 at comcast.net> wrote:
>
> Hi Vishal,
>
>
>
> If the former content does not apply why put it in the chapter?
>
>
> The project has been divided in two phases. Phase 1 is to recycle all
> relevant content from the old version of the guide (to prevent reinventing
> the wheel for what is already there) and Phase 2, to develop new content.
>
>
>
> I understand that it is a collaborative effort, and I am trying to
> collaborate, but copying a former chapter verbatim, when it does not apply,
> is borderline plagiarism.
>
>
> I completely agree with you that we only want to recycle the content that
> is
> still relevant. My only concern was that you deleting the work done by
> someone else was not a good thing to do. If there are any concerns or if
> you
> do not agree with something on the wiki, it is always good to discuss with
> someone before making any changes to the wiki.
>
> If you feel there is anything from the previous guide, which should not be
> there, I would suggest, you discuss with your section lead and once you
> come
> to a consensus, you can add the agreed on content to the wiki. All this
> content will be reviewed during the review process and we (project leads
> and
> content review team) would provide feedback to make relavant adjustments.
>
>
>
> I understand that the content from the previous guide which was replaced
> was
> important but I thought we were supposed to be pulling in content that
> applied to the new section.  In this case, I do not think that the
> Interpreter Injection chapter applies.  If you think the Interpreter
> Injection is suitable content for the output encoding chapter then I can
> move the current chapter content to a different location on the OWASP web
> site or just publish this content on a different security web site
> altogether.
>
>
> Again I would say that we very much appreciate all your time and efforts.
> For the time being, I would suggest that we leave the recycled content
> where
> it was and you are more than welcome to add your content too. All this
> would
> be reviewed during review process and any relevant adjustments would be
> made
> at that time. At this stage, I would suggest that you team up with your
> section lead and agree on what is the best course of action for this
> section.
>
>
>
> I think coverage of the ASVS is important.  Strict adherence to the ASVS
> will turn the Guide into another version of the ASVS.
>
>
> We are not trying to create another version of ASVS here. ASVS say what
> needs to be done to secure an app while dev guide would say how it should
> be
> done. The guide is much more detailed whereas ASVS only provides one liners
> (headings for dev guide content).
>
>
>
> I don't understand what you mean by "if everyone did this we would not be
> able to accomplish anything from this."  If I revert back to what we had
> before we would not have anything new and we wouldn't be accomplishing
> anything because we would only have Version 2.0 of the Guide.
>
>
>
> I am more than happy to put things in ASVS format but give us better
> direction.  Maybe a sample completed chapter of how you want the ASVS
> mapped
> to a coherent and logically flowing chapter.
>
>
> ASVS has been developed as a standard that can be used to systematically
> develop security controls within an application or to measure the
> effectiveness of security controls. But this is a very high level document
> that says what needs to be done. We (the OWASP Guides teams - Dev, Code
> review and Testing ) are planning to align all three guides to the ASVS
> standard so that the whole process of developing and testing web
> applications can be formalised to the same standard.
>
> Therefore the new structure of the guide has been aligned to the ASVS
> standard, where each chapter of the guide has been mapped to each section
> of
> the ASVS standard and each section within a chapter has been aligned to the
> ASVS verification control requirement. Therefore all the general discussion
> on a topic will go on the first page of each chapter and any specific
> control recommendation would go within a specific control requirement. This
> would include discussing the controls requirements, any worksheets or
> coding
> samples.
>
> I hope I have explained everything to my best, but still if you have any
> doubts, please do not hesitate to contact.
>
>
>
>
>
> My concern is that when we revert to version 2.0, we won't have a good idea
> of how to move forward.  Which will truly result in "not accomplishing
> anything".
>
>
>
> When you suggest that I follow the ASVS structural guideline, I did cover
> the itemized topics of Output Encoding.  If there is something I missed I
> am
> more than willing to accommodate and add it but reverting back to the
> original content is akin to taking one step forward and two steps back.
>
>
>
> I also am curious which parts of the Guide 2.0 Interpreter Injection
> chapter
> would help a developer to do proper output encoding.  If you are worried
> about losing relevant content let me know exactly which content you think
> applies and I will gladly find a way to work it into the material.
>
>
>
> Regards,
>
> Abe
>
>
>
>
>
> From: Vishal Garg [mailto:vishalgrg at gmail.com]
> Sent: Monday, December 13, 2010 2:29 PM
> To: Abe
> Cc: Theo Van Niekerk; owasp-guide at lists.owasp.org
>
>
> Subject: Re: [Owasp-guide] Owasp-guide Digest, Vol 30, Issue 1
>
>
>
> Hi Abe,
>
> I had looked at the Wiki over the weekend and analysed the changes made by
> you. I really like your enthusiasm in creating all the great content, but
> at
> the same time, we also have to understand that creating the guide is a
> collaborative effort where hard work from lot of volunteers is involved.
> Therefore we all need to follow some rules to respect each other's time and
> effort and to achieve meaningful results from everyone else's efforts.
>
> During my analysis, I found that you had replaced the old content with the
> new content of your own, which means that the work done by someone else has
> all been wasted. Also if everyone kept doing this, we would not be able to
> achieve anything from this effort. Therefore could you please go back and
> roll back all the changes you made to the wiki and retain all the old
> content. Also I would suggest you to follow the ASVS guidelines and
> structure and put your content at the appropriate place so that your
> efforts
> and hard work is also not wasted.
>
> Please let me know if you have any queries or doubts and I'll do my best to
> resolve it.
>
> Regards
> Vishal
>
>
> On Sat, Dec 11, 2010 at 6:29 AM, Abe <abek1 at comcast.net> wrote:
>
> Theo,
>
> When I came home today, I was having a rough day at work.  My gut instinct
> was to apologize as I tend to try and take responsibility and be held
> accountable (sometimes without thinking).
>
> Prior to submitting the chapter that I wrote, the OWASP Guide for
> OWASP-0600
> Output Encoding/Escaping contained the Interpreter Injection chapter copied
> verbatim from the OWASP Web Application Guide 2.0.
>
> I do not think any of the Interpreter Injection chapter is related to
> proper
> output encoding and still do not think it applies.  Replacing the current
> chapter with the Interpreter Injection chapter is not the right thing to
> do.
>
> As to following the ASVS. When writing, information should be presented in
> a
> clear, concise, and logical manner.  We are writing a book after all.  If
> you read the chapter that I wrote, all of the items under OWASP-0600 to
> OWASP-0610 Output Encoding/Escaping are covered.
>
> Again proper output encoding is something that I am still actively doing
> research on. I want to make sure that if I am wrong about anything, the
> reader can correct me and let me know where I made my mistake.  I am going
> to take out my email before we go GA.
>
> To be honest, I was a bit frustrated at the pace at which the guide and our
> chapter was moving, so I took the initiative to go ahead and write the
> chapter.
>
>
>
> "Lead, follow, or get out of the way."  --Thomas Paine
>
>
>
> Regards,
> Abe
>
>
>
> -----Original Message-----
> From: Theo Van Niekerk [mailto:theovn.list at gmail.com]
> Sent: Thursday, December 09, 2010 11:52 PM
> To: Abe
>
> Cc: owasp-guide at lists.owasp.org
> Subject: Re: [Owasp-guide] Owasp-guide Digest, Vol 30, Issue 1
>
> Hi Abe
>
> I'm afraid that you have jumped the gun.
>
> Vishal's schedule (see below your email) states to recycle old content -
> which I believe is still very valid - by the end of Jan 2011.
> Thereafter a collaborative approach will be followed to develop new
> content.
> It will then be reviewed and updated.
>
> Quite frankly I do not appreciate that you merrily jump in, remove the
> recycled content originating form the old guide, and replace it with yours.
> Also, what's with the "Good luck and email me (abraham.kang at owasp.org)
> with
> any questions."?
>
> Regarding the content you have created, I see it as valuable but it would
> have to be aligned with the ASVS. I think it is too complex for an
> introduction and should rather reside in a subsection of the future
> document.
>
> Can you please rollback to the previous version?
>
> Thanks
> Theo
>
>
>
> On 07 Dec 2010, at 20:02, Abe wrote:
>
> > Hi Vishal,
> >
> > Material from the previous version didn't really match so wrote a new
> > chapter outright.
> >
> > Output Encoding
> >
> > Regards,
> > Abe
> >
> > -----Original Message-----
> > From: owasp-guide-bounces at lists.owasp.org
> > [mailto:owasp-guide-bounces at lists.owasp.org] On Behalf Of
> > owasp-guide-request at lists.owasp.org
> > Sent: Tuesday, December 07, 2010 9:00 AM
> > To: owasp-guide at lists.owasp.org
> > Subject: Owasp-guide Digest, Vol 30, Issue 1
> >
> > Send Owasp-guide mailing list submissions to
> >       owasp-guide at lists.owasp.org
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> >       https://lists.owasp.org/mailman/listinfo/owasp-guide
> > or, via email, send a message with subject or body 'help' to
> >       owasp-guide-request at lists.owasp.org
> >
> > You can reach the person managing the list at
> >       owasp-guide-owner at lists.owasp.org
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Owasp-guide digest..."
> >
> >
> > Today's Topics:
> >
> >   1. [OWASP-Guide] Schedule for dev guide (Vishal Garg)
> >
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Mon, 6 Dec 2010 21:57:08 +0000
> > From: Vishal Garg <vishalgrg at gmail.com>
> > Subject: [Owasp-guide] [OWASP-Guide] Schedule for dev guide
> > To: owasp-guide at lists.owasp.org
> > Message-ID:
> >       <AANLkTi=wV71qetsDEFz=5nY6ZSUnBAzcOezLJTthHJzE at mail.gmail.com>
> > Content-Type: text/plain; charset="iso-8859-1"
> >
> > Hi All,
> >
> > After having a discussion with Anurag, we have come up with the following
> > schdule for the new dev guide. Could all section leads please provide an
> > update on how much work has already been done for the first phase of
> > recycling the content from the previous version of development guide and
> how
> > much of it is still pending, along with an outline of any new additions
> they
> > are planning to implement to their sections.
> >
> > Please note that the new development guide also needs to meet ASVS
> standard
> > and new OWASP numbering scheme. Therefore you need to ensure that you
> adhere
> > to these guidelines and make adjustments to your sections accordingly. If
> in
> > doubt, just get in touch with wither me or Anurag.
> >
> >  31/01/2011
> >
> > Recycling the old content from previous guide.
> >
> > 31/03/2010
> >
> > New content development for all sections
> >
> > 30/04/2011
> >
> > Content review and updates.
> >
> > 31/05/2011
> >
> > Finishing touches to the guide (eg. initial sections and indexes etc.)
> >
> > 01/06/2011
> >
> > Beta release. Get comments from public and make changes.
> >
> > 30/06/2011
> >
> > Final release (or possibly tie it with some event to make it more
> visible).
> >
> > We are also planning to have more frequest status meetings, possibly on a
> > weekly basis so that the progress on the development of guide can be
> > monitored more closely and we can have an open forum for discussions with
> > other team members. Anurag has suggested using Skype for weekly meetings.
> I
> > hope everyone would be comfortable with this. More details on this would
> > follow shortly.
> >
> > Thanks to everyone for thier contributions to the guide.
> >
> > Regards
> > Vishal
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL:
> >
>
> https://lists.owasp.org/pipermail/owasp-guide/attachments/20101206/cead64bc/
> > attachment-0001.html
> >
> > ------------------------------
> >
> > _______________________________________________
> > Owasp-guide mailing list
> > Owasp-guide at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-guide
> >
> >
> > End of Owasp-guide Digest, Vol 30, Issue 1
> > ******************************************
> >
> > _______________________________________________
> > Owasp-guide mailing list
> > Owasp-guide at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-guide
>
> _______________________________________________
> Owasp-guide mailing list
> Owasp-guide at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-guide
>
>
>
>
> --
> Vishal Garg
>
> Linkedin: http://www.linkedin.com/in/vishalgrg
> Twitter: http://www.twitter.com/vishalgrg
>
>
>
>
> --
> Vishal Garg
>
> Linkedin: http://www.linkedin.com/in/vishalgrg
> Twitter: http://www.twitter.com/vishalgrg
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> https://lists.owasp.org/pipermail/owasp-guide/attachments/20101217/b343b065/attachment.html
>
> ------------------------------
>
> _______________________________________________
> Owasp-guide mailing list
> Owasp-guide at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-guide
>
>
> End of Owasp-guide Digest, Vol 30, Issue 13
> *******************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-guide/attachments/20101218/8a8de989/attachment-0001.html 


More information about the Owasp-guide mailing list