[Owasp-guide] Prioritised chapters

vanderaj vanderaj vanderaj at owasp.org
Wed Mar 27 03:20:46 UTC 2013


Hi there,

I'm very pleased with the response I got privately and to this list, so
let's get it happening without further delay. What I aim to do this time
differently is lead the big chapters as editor, and work on some of the
smaller chapters personally, like testing and so on.

There's a lot of chapters that need writing, but we're not getting far with
the current approach, so let's focus on delivering four core chapters first
as group led sub-projects, and then circle around and write the next four
as resources become available.

Can folks volunteer for one of the four chapters:

Authentication
http://www.gaiabb.com/wiki/index.php/DG-B03-AUTHN

Access Control
http://www.gaiabb.com/wiki/index.php/DG-B05-AUTHZ

Input Validation
http://www.gaiabb.com/wiki/index.php/DG-B06-INPVAL

Output Encoding
http://www.gaiabb.com/wiki/index.php/DG-B07-OUTENC

I'd ideally like to see teams of two or three or more for each chapter.
Let's write a draft and we'll polish and edit from there.

There are specific things I want each chapter to hit. Each documented
control should be comprehensive, concise and readable, preferably have good
flows documented using UML swim lane diagrams and pictures, and a list of
anti-patterns at the end.

I will be holding out for a higher standard than many currently practice -
we need to lead, not document common worst practice.

For example in authentication, we will not be documenting password recovery
using questions and answers as I firmly believe these to be a strong
anti-pattern. In input validation, we will be using positive validation as
the first choice right through to no validation, but we should always
prefer positive validation. Output encoding should be encouraging the
encoding of all non-literals, even if it's (currently) safe to not encode
them. This is how ESAPI does it, for example.

*+Kevin Wall* - as you requested a long time ago, let's have that G+
discussion on the crypto chapter. I totally agree it needs to be different
than the ASVS outline. I would like you to lead the re-development of that
chapter, and to bring in people you feel that could help you write it to
the standards you want to see.

thanks,
Andrew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-guide/attachments/20130327/f49145f3/attachment.html>


More information about the Owasp-guide mailing list