[Owasp-guide] Getting Started (again)
Boberski, Michael [USA]
boberski_michael at bah.com
Wed May 5 15:54:35 EDT 2010
Weird! Yeah, I don't have any insight into that. Ok, I'll take a look!
From: Ken Owen [mailto:kenowen at eowen.com]
Sent: Wednesday, May 05, 2010 3:53 PM
To: Boberski, Michael [USA]
Cc: owasp-guide at lists.owasp.org
Subject: Re: Getting Started (again)
I have written a new page, however, the wiki will not accept my update.
> While you were viewing or updating GettingStarted_InjectingSecurity_1, another user submitted an update to it. That user's update has already taken effect. Your update cannot be saved because your changes could overwrite the other user's changes.
> Note: if you have been viewing and updating GettingStarted_InjectingSecurity_1 in multiple browser windows or tabs, it is possible that the "other user" is actually yourself.
I was the last person to update the page (yesterday). There are no other
browser windows and my machine has been shut down twice since the
update. Perhaps it has something to do with the read-only status/update
by google this morning (7:30 AM PST).
To move things along, the copy that I was trying to post is below:
Identifying Key Business Risks
Does this application pose any risk to corporate reputation, corporate
relationships with partners, vendors and regulators, proprietary
planning or corporate data? How does your application expose you to
these risks? Enumerate the specific risks associated with each component
in the application, and given the risk level, is it necessary to the
application? At this point, components are just descriptions of
necessary parts of the application written in layman's terms to be
understood by all participants.
This discussion should include all stake holders, not just developers
and IT, to get a well-rounded perspective before dealing with the
technology aspect. To start:
# identify stake holders
# aggregate perceived risks
# evaluate risk/reward profile for the application
With the component list complete, calculate the ASVS level of security
needed for each.
ASVS (OWASP Application Security Verification Standard)] provides
provides a basis for testing application technical security controls, as
well as any technical security controls in the environment, that are
relied on to protect against vulnerabilities.
Whenever the site is working properly again, I'll post it.
Boberski, Michael [USA] wrote:
> Hi Ken, thanks for sticking with this.
> The rule of thumb should be that each of the getting started section pages should fill up all the whitespace on the page when one browses to it, if there's not that much, it's likely not enough detail.
> While I personally usually abhor such direction, in certain circumstances (such as this one) can serve a purpose. For example, let's look at "Identifying Key Business Risks".
> * First, the title, why is it not "Identifying Key Business Risks".
> * What are "business risks"?
> * What are "competitive factors"?
> * What are "market changes"?
> * What are "risks" that "applications expose you to"?
> * What's "ASVS"?
> * What's an "ASVS level"?
> * What is a "function in the application"?
> * Etc. Definitions!
> * Where is a description of a process? Are those four bullets steps? Why aren't they numbered? What's involved in each step?
> * Etc. Guide! Provide process! It's a guide!
> I find it sometimes helpful to pretend to help like you're verbally talking to someone, and just start writing in that fashion, doubling back to break things up, to make things a little more formal/structured.
> Think in terms of paragraphs, process, explanations to audiences who are not experts in application security. The guide has to be understandable by non-appsec experts who can code.
> HTH. Perhaps let's stick with "Identifying Key Business Risks" and work on that section for a few iterations, with the above in mind.
> Thanks for sticking with this, as well.
> Mike B.
> -----Original Message-----
> From: Ken Owen [mailto:kenowen at eowen.com]
> Sent: Monday, May 03, 2010 5:24 PM
> To: Boberski, Michael [USA]
> Cc: owasp-guide-bounces at lists.owasp.org
> Subject: Getting Started (again)
> I took another try at this sections. I wrote the main page without the
> check lists. The design considerations page is still a bulleted list.
> The four page under that have several sentences of description, and
> three have links to the appropriate OWASP pages.
> If this is OK, I'll go on to the security controls section.
Edward Owen Company
Granby, CT 06035-0407
Phone: 860.653.6258 x12
email: kenowen at eowen.com
More information about the Owasp-guide