[Owasp-guide] Getting Started (again)

Ken Owen kenowen at eowen.com
Fri May 14 16:42:05 EDT 2010


It seemed to clear up the next day and all seems fine now. I have 
updated the "Identifying Key Business Risks" page now. If you think I'm 
on the right track now, let me know and I'll flesh out a few more pages.


Boberski, Michael [USA] wrote:
> Weird! Yeah, I don't have any insight into that. Ok, I'll take a look!
> Best,
> Mike B.
> -----Original Message-----
> From: Ken Owen [mailto:kenowen at eowen.com] 
> Sent: Wednesday, May 05, 2010 3:53 PM
> To: Boberski, Michael [USA]
> Cc: owasp-guide at lists.owasp.org
> Subject: Re: Getting Started (again)
> Mike
> I have written a new page, however, the wiki will not accept my update. 
> It says:
>> While you were viewing or updating GettingStarted_InjectingSecurity_1, another user submitted an update to it. That user's update has already taken effect. Your update cannot be saved because your changes could overwrite the other user's changes.
>> Note: if you have been viewing and updating GettingStarted_InjectingSecurity_1 in multiple browser windows or tabs, it is possible that the "other user" is actually yourself.
> I was the last person to update the page (yesterday). There are no other 
> browser windows and my machine has been shut down twice since the 
> update. Perhaps it has something to do with the read-only status/update 
> by google this morning (7:30 AM PST).
> To move things along, the copy that I was trying to post is below:
> Identifying Key Business Risks
> Does this application pose any risk to corporate reputation, corporate 
> relationships with partners, vendors and regulators, proprietary 
> planning or corporate data? How does your application expose you to 
> these risks? Enumerate the specific risks associated with each component 
> in the application, and given the risk level, is it necessary to the 
> application? At this point, components are just descriptions of 
> necessary parts of the application written in layman's terms to be 
> understood by all participants.
> This discussion should include all stake holders, not just developers 
> and IT, to get a well-rounded perspective before dealing with the 
> technology aspect. To start:
>    # identify stake holders
>    # brainstorm
>    # aggregate perceived risks
>    # evaluate risk/reward profile for the application
> With the component list complete, calculate the ASVS level of security 
> needed for each.
> [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project 
> ASVS (OWASP Application Security Verification Standard)] provides 
> provides a basis for testing application technical security controls, as 
> well as any technical security controls in the environment, that are 
> relied on to protect against vulnerabilities.
> Whenever the site is working properly again, I'll post it.
> Ken
> Boberski, Michael [USA] wrote:
>> Hi Ken, thanks for sticking with this.
>> The rule of thumb should be that each of the getting started section pages should fill up all the whitespace on the page when one browses to it, if there's not that much, it's likely not enough detail.
>> While I personally usually abhor such direction, in certain circumstances (such as this one) can serve a purpose. For example, let's look at "Identifying Key Business Risks".
>>  * First, the title, why is it not "Identifying Key Business Risks".
>>  * What are "business risks"?
>>  * What are "competitive factors"?
>>  * What are "market changes"?
>>  * What are "risks" that "applications expose you to"?
>>  * What's "ASVS"?
>>  * What's an "ASVS level"?
>>  * What is a "function in the application"?
>>  * Etc. Definitions!
>>  * Where is a description of a process? Are those four bullets steps? Why aren't they numbered? What's involved in each step?
>>  * Etc. Guide! Provide process! It's a guide!
>> I find it sometimes helpful to pretend to help like you're verbally talking to someone, and just start writing in that fashion, doubling back to break things up, to make things a little more formal/structured.
>> Think in terms of paragraphs, process, explanations to audiences who are not experts in application security. The guide has to be understandable by non-appsec experts who can code.
>> HTH. Perhaps let's stick with "Identifying Key Business Risks" and work on that section for a few iterations, with the above in mind.
>> Thanks for sticking with this, as well.
>> Best,
>> Mike B.
>> -----Original Message-----
>> From: Ken Owen [mailto:kenowen at eowen.com] 
>> Sent: Monday, May 03, 2010 5:24 PM
>> To: Boberski, Michael [USA]
>> Cc: owasp-guide-bounces at lists.owasp.org
>> Subject: Getting Started (again)
>> Mike
>> I took another try at this sections. I wrote the main page without the 
>> check lists. The design considerations page is still a bulleted list. 
>> The four page under that have several sentences of description, and 
>> three have links to the appropriate OWASP pages.
>> If this is OK, I'll go on to the security controls section.
>> Ken

Ken Owen
Edward Owen Company
Box 407
Granby, CT 06035-0407
Phone: 860.653.6258 x12
Fax: 860.653.6349
email: kenowen at eowen.com

More information about the Owasp-guide mailing list