[Owasp-guide] Prioritised chapters

Anand_Jayaraman1 at Dell.com Anand_Jayaraman1 at Dell.com
Wed Mar 27 05:56:27 UTC 2013


I would like to volunteer for

Input Validation

Since I understand it is going to be a team of 3 or more per chapter. I would like have to some more folks to team up with.


From: owasp-guide-bounces at lists.owasp.org [mailto:owasp-guide-bounces at lists.owasp.org] On Behalf Of vanderaj vanderaj
Sent: Wednesday, March 27, 2013 8:51 AM
To: owasp-guide at lists.owasp.org; Kevin W. Wall
Cc: Abraham Kang
Subject: [Owasp-guide] Prioritised chapters

Hi there,

I'm very pleased with the response I got privately and to this list, so let's get it happening without further delay. What I aim to do this time differently is lead the big chapters as editor, and work on some of the smaller chapters personally, like testing and so on.

There's a lot of chapters that need writing, but we're not getting far with the current approach, so let's focus on delivering four core chapters first as group led sub-projects, and then circle around and write the next four as resources become available.

Can folks volunteer for one of the four chapters:


Access Control

Input Validation

Output Encoding

I'd ideally like to see teams of two or three or more for each chapter. Let's write a draft and we'll polish and edit from there.

There are specific things I want each chapter to hit. Each documented control should be comprehensive, concise and readable, preferably have good flows documented using UML swim lane diagrams and pictures, and a list of anti-patterns at the end.

I will be holding out for a higher standard than many currently practice - we need to lead, not document common worst practice.

For example in authentication, we will not be documenting password recovery using questions and answers as I firmly believe these to be a strong anti-pattern. In input validation, we will be using positive validation as the first choice right through to no validation, but we should always prefer positive validation. Output encoding should be encouraging the encoding of all non-literals, even if it's (currently) safe to not encode them. This is how ESAPI does it, for example.

+Kevin Wall - as you requested a long time ago, let's have that G+ discussion on the crypto chapter. I totally agree it needs to be different than the ASVS outline. I would like you to lead the re-development of that chapter, and to bring in people you feel that could help you write it to the standards you want to see.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-guide/attachments/20130327/657a8d5a/attachment.html>

More information about the Owasp-guide mailing list