[Owasp-guide] [OWASP-Guide] Schedule for dev guide

Kevin W. Wall kevin.w.wall at gmail.com
Fri Dec 31 01:32:01 EST 2010


On 12/06/2010 04:57 PM, Vishal Garg wrote:
> Hi All,
> 
> After having a discussion with Anurag, we have come up with the following
> schdule for the new dev guide. Could all section leads please provide an
> update on how much work has already been done for the first phase of
> recycling the content from the previous version of development guide and how
> much of it is still pending, along with an outline of any new additions they
> are planning to implement to their sections.
> 
> Please note that the new development guide also needs to meet ASVS standard
> and new OWASP numbering scheme. Therefore you need to ensure that you adhere
> to these guidelines and make adjustments to your sections accordingly. If in
> doubt, just get in touch with wither me or Anurag.
> 
> 31/01/2011 -- Recycling the old content from previous guide.
> 31/03/2010 -- New content development for all sections
> 30/04/2011 -- Content review and updates.
> 31/05/2011 -- Finishing touches to the guide (eg. initial sections and indexes etc.)
> 01/06/2011 -- Beta release. Get comments from public and make changes.
> 30/06/2011 -- Final release (or possibly tie it with some event to make it more visible).

OK, I've mostly completed changes to the Cryptography section of the new OWASP
Dev Guide wiki pages by attempting to recycle the old content from the previous
guide (which I had in MS Word format) that allegedly was written by Microsoft's
Michael Howard.

I found this a rather challenging endeavor, not because the editing was so
difficult, but because I found it just plain hard to take the previous document
and put it into accordance with the ASVS standard, the sub-pages which had
already been laid out.

There were two major problems that I found in attempting this. First was that
the previous content covered a lot of crypto-related stuff that simply was not
in the crypto section of the ASVS so there was no place to map it to. For most
of that content, I just left it on the main crypto page.  The other major
problem--still not really addressed--is that the crypto section of the previous
OWASP Dev Guide just did not cover material that is relevant to the crypto
section of the OWASP ASVS project.  Now given that the last Dev Guide predates
the ASVS, this is hardly surprising, but it is rather frustrating.  In this
specific case, what it means is that most of the subsections are completely
empty. A lesser problem is that the previous crypto section of the Dev Guide
is organized completely different so that one, at times, needs to copy-and-paste
a paragraph here, a sentence there, etc. to new section.

Anyhow, I did the best I could. I even added a bit of new content (yes, I know
we weren't supposed to do that, but I checked with the section lead and gave
myself permission ;-) on the ASVS respective sections where things would
otherwise be rather spotty.

I still am far from finished, but at least it's a start. However, I am not going
to do anything further with this section or any other section until (e.g.,
Security Architecture or Authentication) until someone takes a look at this
to tell me if I am on the right track or not.  Based on what I understand
from Mike Boberski's "vision" of how this was going to work with some sort
of "ASVS Checklist / Worksheet", I don't quite think this is what he intended.
However, until someone provides some *very specific* guidance as to what
exactly is desired, I feel I can do no better.

So, you input / feedback would be much appreciated.
Later,
-kevin
P.S.- A happy and safe New Year's to all.
--
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME


More information about the Owasp-guide mailing list