[Owasp-guide] Prioritised chapters

Tom Stripling tstripling at gmail.com
Thu Mar 28 19:32:59 UTC 2013


I can also help with editing, if needed.


On Thu, Mar 28, 2013 at 8:15 AM, Tom Stripling <tstripling at gmail.com> wrote:

> I'd like to work on output encoding as well.
>
> Tom
>
>
> On Thu, Mar 28, 2013 at 5:10 AM, Paco Schiaffella <schiaffella at gmail.com>wrote:
>
>> Hi,
>>     I would like to join the input validation chapter too. (but if a
>> team of two can be enough for now, I also like the output encoding
>> chapter)
>>
>>
>> Thanks,
>> Paco
>>
>>
>> 2013/3/28  <Anand_Jayaraman1 at dell.com>:
>> > Great to see more people wanting to team up on Input Validation.
>> >
>> >
>> >
>> > Arief: Lets team up we can start with sharing our skype ids
>> > (anand-jayaraman) or gmail ids (anand201301 at gmail.com) so that it is
>> easy to
>> > collaborate. If you feel there are better ways we can use that medium.
>> >
>> >
>> >
>> > Regards,
>> >
>> > Anand
>> >
>> >
>> >
>> > From: Lathifah Arief [mailto:lathifah.arief at gmail.com]
>> > Sent: Thursday, March 28, 2013 6:53 AM
>> > To: Jayaraman1, Anand
>> > Cc: owasp-guide at lists.owasp.org; vanderaj vanderaj;
>> kevin.w.wall at gmail.com;
>> > abraham.kang at owasp.org
>> > Subject: Re: [Owasp-guide] Prioritised chapters
>> >
>> >
>> >
>> > Hi, I'm interested in input validation too... if you guys dont mind to
>> have
>> > me in team, for sure :-)
>> >
>> > On Mar 27, 2013 2:50 PM, <Anand_Jayaraman1 at dell.com> wrote:
>> >
>> > Hi,
>> >
>> >
>> >
>> > I would like to volunteer for
>> >
>> >
>> >
>> > Input Validation
>> >
>> > http://www.gaiabb.com/wiki/index.php/DG-B06-INPVAL
>> >
>> >
>> >
>> > Since I understand it is going to be a team of 3 or more per chapter. I
>> > would like have to some more folks to team up with.
>> >
>> >
>> >
>> > Regards,
>> >
>> > Anand
>> >
>> >
>> >
>> > From: owasp-guide-bounces at lists.owasp.org
>> > [mailto:owasp-guide-bounces at lists.owasp.org] On Behalf Of vanderaj
>> vanderaj
>> > Sent: Wednesday, March 27, 2013 8:51 AM
>> > To: owasp-guide at lists.owasp.org; Kevin W. Wall
>> > Cc: Abraham Kang
>> > Subject: [Owasp-guide] Prioritised chapters
>> >
>> >
>> >
>> > Hi there,
>> >
>> >
>> >
>> > I'm very pleased with the response I got privately and to this list, so
>> > let's get it happening without further delay. What I aim to do this time
>> > differently is lead the big chapters as editor, and work on some of the
>> > smaller chapters personally, like testing and so on.
>> >
>> >
>> >
>> > There's a lot of chapters that need writing, but we're not getting far
>> with
>> > the current approach, so let's focus on delivering four core chapters
>> first
>> > as group led sub-projects, and then circle around and write the next
>> four as
>> > resources become available.
>> >
>> >
>> >
>> > Can folks volunteer for one of the four chapters:
>> >
>> >
>> >
>> > Authentication
>> >
>> > http://www.gaiabb.com/wiki/index.php/DG-B03-AUTHN
>> >
>> >
>> >
>> > Access Control
>> >
>> > http://www.gaiabb.com/wiki/index.php/DG-B05-AUTHZ
>> >
>> >
>> >
>> > Input Validation
>> >
>> > http://www.gaiabb.com/wiki/index.php/DG-B06-INPVAL
>> >
>> >
>> >
>> > Output Encoding
>> >
>> > http://www.gaiabb.com/wiki/index.php/DG-B07-OUTENC
>> >
>> >
>> >
>> > I'd ideally like to see teams of two or three or more for each chapter.
>> > Let's write a draft and we'll polish and edit from there.
>> >
>> >
>> >
>> > There are specific things I want each chapter to hit. Each documented
>> > control should be comprehensive, concise and readable, preferably have
>> good
>> > flows documented using UML swim lane diagrams and pictures, and a list
>> of
>> > anti-patterns at the end.
>> >
>> >
>> >
>> > I will be holding out for a higher standard than many currently
>> practice -
>> > we need to lead, not document common worst practice.
>> >
>> >
>> >
>> > For example in authentication, we will not be documenting password
>> recovery
>> > using questions and answers as I firmly believe these to be a strong
>> > anti-pattern. In input validation, we will be using positive validation
>> as
>> > the first choice right through to no validation, but we should always
>> prefer
>> > positive validation. Output encoding should be encouraging the encoding
>> of
>> > all non-literals, even if it's (currently) safe to not encode them.
>> This is
>> > how ESAPI does it, for example.
>> >
>> >
>> >
>> > +Kevin Wall - as you requested a long time ago, let's have that G+
>> > discussion on the crypto chapter. I totally agree it needs to be
>> different
>> > than the ASVS outline. I would like you to lead the re-development of
>> that
>> > chapter, and to bring in people you feel that could help you write it
>> to the
>> > standards you want to see.
>> >
>> >
>> >
>> > thanks,
>> >
>> > Andrew
>> >
>> >
>> > _______________________________________________
>> > Owasp-guide mailing list
>> > Owasp-guide at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-guide
>> >
>> >
>> > _______________________________________________
>> > Owasp-guide mailing list
>> > Owasp-guide at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-guide
>> >
>> _______________________________________________
>> Owasp-guide mailing list
>> Owasp-guide at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-guide
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-guide/attachments/20130328/6c702e99/attachment-0001.html>


More information about the Owasp-guide mailing list