[Owasp-guide] UML diagrams
vanderaj at owasp.org
Fri Jun 7 12:14:32 UTC 2013
I've made a post to Google+ soliciting input on sequence diagrams versus
It's my view that the old way of lots of little controls to obey didn't
yell out to developers "hey, I need to pick up items 1,2,3,4,5, 7, 9, 13,
and 15 for my solution". I'd rather have artefacts they already know how to
use (sequence or activity diagrams), and then point them in the general
direction of detailed text controls if they don't already understand them.
I want to assume that developers are keen and talented, and bootstrap them
if they're just starting out. Too many infosec standards assume the
developers should not think and can't make decisions for themselves.
Have a look at
Then let me know your thoughts. The PlantUML source is there too if you
want to change it.
The reason the Presentation "tier" swim lane is outside the trusted zone is
simple - that's life today with Ajax and mobile apps, and we need to make
our leading practices compatible with mobile, Ajax, SOA, web service AND
traditional web apps.
I think by pushing the trust boundary in by one makes it obvious and it
works for all major use cases other than entirely self contained apps
running on untrusted devices. libdvdcss shows us the futility of securing
that use case for any length of time.
I'm nearly done with the detailed outlines of the authentication and access
control chapters (Rudra and Jerry, it's still at where I left it the other
day), but I do want to complete them for input validation and output
encoding soon. If you volunteered for any of these chapters, please pipe up
again, and let me know if you've done anything since we last spoke.
@Kevin - please contact me to discuss how you're going on the Crypto
@All - I want to have a status meeting soon. Does around this
time Friday June 14 work for folks?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-guide