[Owasp-guide] Prioritised chapters

Anand_Jayaraman1 at Dell.com Anand_Jayaraman1 at Dell.com
Thu Mar 28 06:05:34 UTC 2013

Great to see more people wanting to team up on Input Validation.

Arief: Lets team up we can start with sharing our skype ids (anand-jayaraman) or gmail ids (anand201301 at gmail.com<mailto:anand201301 at gmail.com>) so that it is easy to collaborate. If you feel there are better ways we can use that medium.


From: Lathifah Arief [mailto:lathifah.arief at gmail.com]
Sent: Thursday, March 28, 2013 6:53 AM
To: Jayaraman1, Anand
Cc: owasp-guide at lists.owasp.org; vanderaj vanderaj; kevin.w.wall at gmail.com; abraham.kang at owasp.org
Subject: Re: [Owasp-guide] Prioritised chapters

Hi, I'm interested in input validation too... if you guys dont mind to have me in team, for sure :-)
On Mar 27, 2013 2:50 PM, <Anand_Jayaraman1 at dell.com<mailto:Anand_Jayaraman1 at dell.com>> wrote:

I would like to volunteer for

Input Validation

Since I understand it is going to be a team of 3 or more per chapter. I would like have to some more folks to team up with.


From: owasp-guide-bounces at lists.owasp.org<mailto:owasp-guide-bounces at lists.owasp.org> [mailto:owasp-guide-bounces at lists.owasp.org<mailto:owasp-guide-bounces at lists.owasp.org>] On Behalf Of vanderaj vanderaj
Sent: Wednesday, March 27, 2013 8:51 AM
To: owasp-guide at lists.owasp.org<mailto:owasp-guide at lists.owasp.org>; Kevin W. Wall
Cc: Abraham Kang
Subject: [Owasp-guide] Prioritised chapters

Hi there,

I'm very pleased with the response I got privately and to this list, so let's get it happening without further delay. What I aim to do this time differently is lead the big chapters as editor, and work on some of the smaller chapters personally, like testing and so on.

There's a lot of chapters that need writing, but we're not getting far with the current approach, so let's focus on delivering four core chapters first as group led sub-projects, and then circle around and write the next four as resources become available.

Can folks volunteer for one of the four chapters:


Access Control

Input Validation

Output Encoding

I'd ideally like to see teams of two or three or more for each chapter. Let's write a draft and we'll polish and edit from there.

There are specific things I want each chapter to hit. Each documented control should be comprehensive, concise and readable, preferably have good flows documented using UML swim lane diagrams and pictures, and a list of anti-patterns at the end.

I will be holding out for a higher standard than many currently practice - we need to lead, not document common worst practice.

For example in authentication, we will not be documenting password recovery using questions and answers as I firmly believe these to be a strong anti-pattern. In input validation, we will be using positive validation as the first choice right through to no validation, but we should always prefer positive validation. Output encoding should be encouraging the encoding of all non-literals, even if it's (currently) safe to not encode them. This is how ESAPI does it, for example.

+Kevin Wall - as you requested a long time ago, let's have that G+ discussion on the crypto chapter. I totally agree it needs to be different than the ASVS outline. I would like you to lead the re-development of that chapter, and to bring in people you feel that could help you write it to the standards you want to see.


Owasp-guide mailing list
Owasp-guide at lists.owasp.org<mailto:Owasp-guide at lists.owasp.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-guide/attachments/20130328/18d57ea5/attachment-0001.html>

More information about the Owasp-guide mailing list