[Owasp-guide] Prioritised chapters

Tom Stripling tstripling at gmail.com
Thu Mar 28 13:15:28 UTC 2013


I'd like to work on output encoding as well.

Tom


On Thu, Mar 28, 2013 at 5:10 AM, Paco Schiaffella <schiaffella at gmail.com>wrote:

> Hi,
>     I would like to join the input validation chapter too. (but if a
> team of two can be enough for now, I also like the output encoding
> chapter)
>
>
> Thanks,
> Paco
>
>
> 2013/3/28  <Anand_Jayaraman1 at dell.com>:
> > Great to see more people wanting to team up on Input Validation.
> >
> >
> >
> > Arief: Lets team up we can start with sharing our skype ids
> > (anand-jayaraman) or gmail ids (anand201301 at gmail.com) so that it is
> easy to
> > collaborate. If you feel there are better ways we can use that medium.
> >
> >
> >
> > Regards,
> >
> > Anand
> >
> >
> >
> > From: Lathifah Arief [mailto:lathifah.arief at gmail.com]
> > Sent: Thursday, March 28, 2013 6:53 AM
> > To: Jayaraman1, Anand
> > Cc: owasp-guide at lists.owasp.org; vanderaj vanderaj;
> kevin.w.wall at gmail.com;
> > abraham.kang at owasp.org
> > Subject: Re: [Owasp-guide] Prioritised chapters
> >
> >
> >
> > Hi, I'm interested in input validation too... if you guys dont mind to
> have
> > me in team, for sure :-)
> >
> > On Mar 27, 2013 2:50 PM, <Anand_Jayaraman1 at dell.com> wrote:
> >
> > Hi,
> >
> >
> >
> > I would like to volunteer for
> >
> >
> >
> > Input Validation
> >
> > http://www.gaiabb.com/wiki/index.php/DG-B06-INPVAL
> >
> >
> >
> > Since I understand it is going to be a team of 3 or more per chapter. I
> > would like have to some more folks to team up with.
> >
> >
> >
> > Regards,
> >
> > Anand
> >
> >
> >
> > From: owasp-guide-bounces at lists.owasp.org
> > [mailto:owasp-guide-bounces at lists.owasp.org] On Behalf Of vanderaj
> vanderaj
> > Sent: Wednesday, March 27, 2013 8:51 AM
> > To: owasp-guide at lists.owasp.org; Kevin W. Wall
> > Cc: Abraham Kang
> > Subject: [Owasp-guide] Prioritised chapters
> >
> >
> >
> > Hi there,
> >
> >
> >
> > I'm very pleased with the response I got privately and to this list, so
> > let's get it happening without further delay. What I aim to do this time
> > differently is lead the big chapters as editor, and work on some of the
> > smaller chapters personally, like testing and so on.
> >
> >
> >
> > There's a lot of chapters that need writing, but we're not getting far
> with
> > the current approach, so let's focus on delivering four core chapters
> first
> > as group led sub-projects, and then circle around and write the next
> four as
> > resources become available.
> >
> >
> >
> > Can folks volunteer for one of the four chapters:
> >
> >
> >
> > Authentication
> >
> > http://www.gaiabb.com/wiki/index.php/DG-B03-AUTHN
> >
> >
> >
> > Access Control
> >
> > http://www.gaiabb.com/wiki/index.php/DG-B05-AUTHZ
> >
> >
> >
> > Input Validation
> >
> > http://www.gaiabb.com/wiki/index.php/DG-B06-INPVAL
> >
> >
> >
> > Output Encoding
> >
> > http://www.gaiabb.com/wiki/index.php/DG-B07-OUTENC
> >
> >
> >
> > I'd ideally like to see teams of two or three or more for each chapter.
> > Let's write a draft and we'll polish and edit from there.
> >
> >
> >
> > There are specific things I want each chapter to hit. Each documented
> > control should be comprehensive, concise and readable, preferably have
> good
> > flows documented using UML swim lane diagrams and pictures, and a list of
> > anti-patterns at the end.
> >
> >
> >
> > I will be holding out for a higher standard than many currently practice
> -
> > we need to lead, not document common worst practice.
> >
> >
> >
> > For example in authentication, we will not be documenting password
> recovery
> > using questions and answers as I firmly believe these to be a strong
> > anti-pattern. In input validation, we will be using positive validation
> as
> > the first choice right through to no validation, but we should always
> prefer
> > positive validation. Output encoding should be encouraging the encoding
> of
> > all non-literals, even if it's (currently) safe to not encode them. This
> is
> > how ESAPI does it, for example.
> >
> >
> >
> > +Kevin Wall - as you requested a long time ago, let's have that G+
> > discussion on the crypto chapter. I totally agree it needs to be
> different
> > than the ASVS outline. I would like you to lead the re-development of
> that
> > chapter, and to bring in people you feel that could help you write it to
> the
> > standards you want to see.
> >
> >
> >
> > thanks,
> >
> > Andrew
> >
> >
> > _______________________________________________
> > Owasp-guide mailing list
> > Owasp-guide at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-guide
> >
> >
> > _______________________________________________
> > Owasp-guide mailing list
> > Owasp-guide at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-guide
> >
> _______________________________________________
> Owasp-guide mailing list
> Owasp-guide at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-guide
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-guide/attachments/20130328/78107a24/attachment.html>


More information about the Owasp-guide mailing list