[Owasp-guide] Getting Started (again)

Boberski, Michael [USA] boberski_michael at bah.com
Tue May 4 16:06:13 EDT 2010

Hi Ken, thanks for sticking with this.

The rule of thumb should be that each of the getting started section pages should fill up all the whitespace on the page when one browses to it, if there's not that much, it's likely not enough detail.

While I personally usually abhor such direction, in certain circumstances (such as this one) can serve a purpose. For example, let's look at "Identifying Key Business Risks".

 * First, the title, why is it not "Identifying Key Business Risks".
 * What are "business risks"?
 * What are "competitive factors"?
 * What are "market changes"?
 * What are "risks" that "applications expose you to"?
 * What's "ASVS"?
 * What's an "ASVS level"?
 * What is a "function in the application"?
 * Etc. Definitions!
 * Where is a description of a process? Are those four bullets steps? Why aren't they numbered? What's involved in each step?
 * Etc. Guide! Provide process! It's a guide!

I find it sometimes helpful to pretend to help like you're verbally talking to someone, and just start writing in that fashion, doubling back to break things up, to make things a little more formal/structured.

Think in terms of paragraphs, process, explanations to audiences who are not experts in application security. The guide has to be understandable by non-appsec experts who can code.

HTH. Perhaps let's stick with "Identifying Key Business Risks" and work on that section for a few iterations, with the above in mind.

Thanks for sticking with this, as well.


Mike B.

-----Original Message-----
From: Ken Owen [mailto:kenowen at eowen.com] 
Sent: Monday, May 03, 2010 5:24 PM
To: Boberski, Michael [USA]
Cc: owasp-guide-bounces at lists.owasp.org
Subject: Getting Started (again)


I took another try at this sections. I wrote the main page without the 
check lists. The design considerations page is still a bulleted list. 
The four page under that have several sentences of description, and 
three have links to the appropriate OWASP pages.

If this is OK, I'll go on to the security controls section.


More information about the Owasp-guide mailing list