[Owasp-guide] Owasp-guide Digest, Vol 49, Issue 6

Jerry Kickenson jerry.kickenson at gmail.com
Fri Mar 29 02:05:36 UTC 2013


I'm happy to contribute to Authentication or Access Control.  Since Andrew seems to have Authentication in hand, perhaps Access Control would be better.  Let me know.

Best regards,
Kerry

Sent from my iPad

On Mar 28, 2013, at 3:33 PM, owasp-guide-request at lists.owasp.org wrote:

> Send Owasp-guide mailing list submissions to
>    owasp-guide at lists.owasp.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
>    https://lists.owasp.org/mailman/listinfo/owasp-guide
> or, via email, send a message with subject or body 'help' to
>    owasp-guide-request at lists.owasp.org
> 
> You can reach the person managing the list at
>    owasp-guide-owner at lists.owasp.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Owasp-guide digest..."
> 
> 
> Today's Topics:
> 
>   1. Re: Prioritised chapters (Tom Stripling)
>   2. OWASP Guide editor credentials (Dunkle, Edward (Edward))
>   3. Re: Prioritised chapters (Tom Stripling)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Thu, 28 Mar 2013 08:15:28 -0500
> From: Tom Stripling <tstripling at gmail.com>
> To: Paco Schiaffella <schiaffella at gmail.com>
> Cc: "owasp-guide at lists.owasp.org" <owasp-guide at lists.owasp.org>
> Subject: Re: [Owasp-guide] Prioritised chapters
> Message-ID:
>    <CAEBXpSeYrKJK2NnzDeZ7yoc1-fXjgBhk6EVd64KR+52UZQcEBA at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> I'd like to work on output encoding as well.
> 
> Tom
> 
> 
> On Thu, Mar 28, 2013 at 5:10 AM, Paco Schiaffella <schiaffella at gmail.com>wrote:
> 
>> Hi,
>>    I would like to join the input validation chapter too. (but if a
>> team of two can be enough for now, I also like the output encoding
>> chapter)
>> 
>> 
>> Thanks,
>> Paco
>> 
>> 
>> 2013/3/28  <Anand_Jayaraman1 at dell.com>:
>>> Great to see more people wanting to team up on Input Validation.
>>> 
>>> 
>>> 
>>> Arief: Lets team up we can start with sharing our skype ids
>>> (anand-jayaraman) or gmail ids (anand201301 at gmail.com) so that it is
>> easy to
>>> collaborate. If you feel there are better ways we can use that medium.
>>> 
>>> 
>>> 
>>> Regards,
>>> 
>>> Anand
>>> 
>>> 
>>> 
>>> From: Lathifah Arief [mailto:lathifah.arief at gmail.com]
>>> Sent: Thursday, March 28, 2013 6:53 AM
>>> To: Jayaraman1, Anand
>>> Cc: owasp-guide at lists.owasp.org; vanderaj vanderaj;
>> kevin.w.wall at gmail.com;
>>> abraham.kang at owasp.org
>>> Subject: Re: [Owasp-guide] Prioritised chapters
>>> 
>>> 
>>> 
>>> Hi, I'm interested in input validation too... if you guys dont mind to
>> have
>>> me in team, for sure :-)
>>> 
>>> On Mar 27, 2013 2:50 PM, <Anand_Jayaraman1 at dell.com> wrote:
>>> 
>>> Hi,
>>> 
>>> 
>>> 
>>> I would like to volunteer for
>>> 
>>> 
>>> 
>>> Input Validation
>>> 
>>> http://www.gaiabb.com/wiki/index.php/DG-B06-INPVAL
>>> 
>>> 
>>> 
>>> Since I understand it is going to be a team of 3 or more per chapter. I
>>> would like have to some more folks to team up with.
>>> 
>>> 
>>> 
>>> Regards,
>>> 
>>> Anand
>>> 
>>> 
>>> 
>>> From: owasp-guide-bounces at lists.owasp.org
>>> [mailto:owasp-guide-bounces at lists.owasp.org] On Behalf Of vanderaj
>> vanderaj
>>> Sent: Wednesday, March 27, 2013 8:51 AM
>>> To: owasp-guide at lists.owasp.org; Kevin W. Wall
>>> Cc: Abraham Kang
>>> Subject: [Owasp-guide] Prioritised chapters
>>> 
>>> 
>>> 
>>> Hi there,
>>> 
>>> 
>>> 
>>> I'm very pleased with the response I got privately and to this list, so
>>> let's get it happening without further delay. What I aim to do this time
>>> differently is lead the big chapters as editor, and work on some of the
>>> smaller chapters personally, like testing and so on.
>>> 
>>> 
>>> 
>>> There's a lot of chapters that need writing, but we're not getting far
>> with
>>> the current approach, so let's focus on delivering four core chapters
>> first
>>> as group led sub-projects, and then circle around and write the next
>> four as
>>> resources become available.
>>> 
>>> 
>>> 
>>> Can folks volunteer for one of the four chapters:
>>> 
>>> 
>>> 
>>> Authentication
>>> 
>>> http://www.gaiabb.com/wiki/index.php/DG-B03-AUTHN
>>> 
>>> 
>>> 
>>> Access Control
>>> 
>>> http://www.gaiabb.com/wiki/index.php/DG-B05-AUTHZ
>>> 
>>> 
>>> 
>>> Input Validation
>>> 
>>> http://www.gaiabb.com/wiki/index.php/DG-B06-INPVAL
>>> 
>>> 
>>> 
>>> Output Encoding
>>> 
>>> http://www.gaiabb.com/wiki/index.php/DG-B07-OUTENC
>>> 
>>> 
>>> 
>>> I'd ideally like to see teams of two or three or more for each chapter.
>>> Let's write a draft and we'll polish and edit from there.
>>> 
>>> 
>>> 
>>> There are specific things I want each chapter to hit. Each documented
>>> control should be comprehensive, concise and readable, preferably have
>> good
>>> flows documented using UML swim lane diagrams and pictures, and a list of
>>> anti-patterns at the end.
>>> 
>>> 
>>> 
>>> I will be holding out for a higher standard than many currently practice
>> -
>>> we need to lead, not document common worst practice.
>>> 
>>> 
>>> 
>>> For example in authentication, we will not be documenting password
>> recovery
>>> using questions and answers as I firmly believe these to be a strong
>>> anti-pattern. In input validation, we will be using positive validation
>> as
>>> the first choice right through to no validation, but we should always
>> prefer
>>> positive validation. Output encoding should be encouraging the encoding
>> of
>>> all non-literals, even if it's (currently) safe to not encode them. This
>> is
>>> how ESAPI does it, for example.
>>> 
>>> 
>>> 
>>> +Kevin Wall - as you requested a long time ago, let's have that G+
>>> discussion on the crypto chapter. I totally agree it needs to be
>> different
>>> than the ASVS outline. I would like you to lead the re-development of
>> that
>>> chapter, and to bring in people you feel that could help you write it to
>> the
>>> standards you want to see.
>>> 
>>> 
>>> 
>>> thanks,
>>> 
>>> Andrew
>>> 
>>> 
>>> _______________________________________________
>>> Owasp-guide mailing list
>>> Owasp-guide at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-guide
>>> 
>>> 
>>> _______________________________________________
>>> Owasp-guide mailing list
>>> Owasp-guide at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-guide
>>> 
>> _______________________________________________
>> Owasp-guide mailing list
>> Owasp-guide at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-guide
>> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.owasp.org/pipermail/owasp-guide/attachments/20130328/78107a24/attachment-0001.html>
> 
> ------------------------------
> 
> Message: 2
> Date: Thu, 28 Mar 2013 14:27:37 -0400
> From: "Dunkle, Edward \(Edward\)" <edward.dunkle at verizon.com>
> To: "owasp-guide at lists.owasp.org" <owasp-guide at lists.owasp.org>
> Subject: [Owasp-guide] OWASP Guide editor credentials
> Message-ID:
>    <CA9D68EB765FFF46B70D6E819FD530572E58A201D1 at FHDP1LUMXC7V22.us.one.verizon.com>
>    
> Content-Type: text/plain; charset="us-ascii"
> 
> Andrew,
> 
> What credentials are required for someone to help with editting the guide?
> 
> Thanks,
> Ed
> 
> ------------------------------
> 
> Message: 3
> Date: Thu, 28 Mar 2013 14:32:59 -0500
> From: Tom Stripling <tstripling at gmail.com>
> To: Paco Schiaffella <schiaffella at gmail.com>
> Cc: "owasp-guide at lists.owasp.org" <owasp-guide at lists.owasp.org>
> Subject: Re: [Owasp-guide] Prioritised chapters
> Message-ID:
>    <CAEBXpSdKRT07SOqOakijGeWnTr5QA25W=3JjMC+NVb30PxZ09A at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> I can also help with editing, if needed.
> 
> 
> On Thu, Mar 28, 2013 at 8:15 AM, Tom Stripling <tstripling at gmail.com> wrote:
> 
>> I'd like to work on output encoding as well.
>> 
>> Tom
>> 
>> 
>> On Thu, Mar 28, 2013 at 5:10 AM, Paco Schiaffella <schiaffella at gmail.com>wrote:
>> 
>>> Hi,
>>>    I would like to join the input validation chapter too. (but if a
>>> team of two can be enough for now, I also like the output encoding
>>> chapter)
>>> 
>>> 
>>> Thanks,
>>> Paco
>>> 
>>> 
>>> 2013/3/28  <Anand_Jayaraman1 at dell.com>:
>>>> Great to see more people wanting to team up on Input Validation.
>>>> 
>>>> 
>>>> 
>>>> Arief: Lets team up we can start with sharing our skype ids
>>>> (anand-jayaraman) or gmail ids (anand201301 at gmail.com) so that it is
>>> easy to
>>>> collaborate. If you feel there are better ways we can use that medium.
>>>> 
>>>> 
>>>> 
>>>> Regards,
>>>> 
>>>> Anand
>>>> 
>>>> 
>>>> 
>>>> From: Lathifah Arief [mailto:lathifah.arief at gmail.com]
>>>> Sent: Thursday, March 28, 2013 6:53 AM
>>>> To: Jayaraman1, Anand
>>>> Cc: owasp-guide at lists.owasp.org; vanderaj vanderaj;
>>> kevin.w.wall at gmail.com;
>>>> abraham.kang at owasp.org
>>>> Subject: Re: [Owasp-guide] Prioritised chapters
>>>> 
>>>> 
>>>> 
>>>> Hi, I'm interested in input validation too... if you guys dont mind to
>>> have
>>>> me in team, for sure :-)
>>>> 
>>>> On Mar 27, 2013 2:50 PM, <Anand_Jayaraman1 at dell.com> wrote:
>>>> 
>>>> Hi,
>>>> 
>>>> 
>>>> 
>>>> I would like to volunteer for
>>>> 
>>>> 
>>>> 
>>>> Input Validation
>>>> 
>>>> http://www.gaiabb.com/wiki/index.php/DG-B06-INPVAL
>>>> 
>>>> 
>>>> 
>>>> Since I understand it is going to be a team of 3 or more per chapter. I
>>>> would like have to some more folks to team up with.
>>>> 
>>>> 
>>>> 
>>>> Regards,
>>>> 
>>>> Anand
>>>> 
>>>> 
>>>> 
>>>> From: owasp-guide-bounces at lists.owasp.org
>>>> [mailto:owasp-guide-bounces at lists.owasp.org] On Behalf Of vanderaj
>>> vanderaj
>>>> Sent: Wednesday, March 27, 2013 8:51 AM
>>>> To: owasp-guide at lists.owasp.org; Kevin W. Wall
>>>> Cc: Abraham Kang
>>>> Subject: [Owasp-guide] Prioritised chapters
>>>> 
>>>> 
>>>> 
>>>> Hi there,
>>>> 
>>>> 
>>>> 
>>>> I'm very pleased with the response I got privately and to this list, so
>>>> let's get it happening without further delay. What I aim to do this time
>>>> differently is lead the big chapters as editor, and work on some of the
>>>> smaller chapters personally, like testing and so on.
>>>> 
>>>> 
>>>> 
>>>> There's a lot of chapters that need writing, but we're not getting far
>>> with
>>>> the current approach, so let's focus on delivering four core chapters
>>> first
>>>> as group led sub-projects, and then circle around and write the next
>>> four as
>>>> resources become available.
>>>> 
>>>> 
>>>> 
>>>> Can folks volunteer for one of the four chapters:
>>>> 
>>>> 
>>>> 
>>>> Authentication
>>>> 
>>>> http://www.gaiabb.com/wiki/index.php/DG-B03-AUTHN
>>>> 
>>>> 
>>>> 
>>>> Access Control
>>>> 
>>>> http://www.gaiabb.com/wiki/index.php/DG-B05-AUTHZ
>>>> 
>>>> 
>>>> 
>>>> Input Validation
>>>> 
>>>> http://www.gaiabb.com/wiki/index.php/DG-B06-INPVAL
>>>> 
>>>> 
>>>> 
>>>> Output Encoding
>>>> 
>>>> http://www.gaiabb.com/wiki/index.php/DG-B07-OUTENC
>>>> 
>>>> 
>>>> 
>>>> I'd ideally like to see teams of two or three or more for each chapter.
>>>> Let's write a draft and we'll polish and edit from there.
>>>> 
>>>> 
>>>> 
>>>> There are specific things I want each chapter to hit. Each documented
>>>> control should be comprehensive, concise and readable, preferably have
>>> good
>>>> flows documented using UML swim lane diagrams and pictures, and a list
>>> of
>>>> anti-patterns at the end.
>>>> 
>>>> 
>>>> 
>>>> I will be holding out for a higher standard than many currently
>>> practice -
>>>> we need to lead, not document common worst practice.
>>>> 
>>>> 
>>>> 
>>>> For example in authentication, we will not be documenting password
>>> recovery
>>>> using questions and answers as I firmly believe these to be a strong
>>>> anti-pattern. In input validation, we will be using positive validation
>>> as
>>>> the first choice right through to no validation, but we should always
>>> prefer
>>>> positive validation. Output encoding should be encouraging the encoding
>>> of
>>>> all non-literals, even if it's (currently) safe to not encode them.
>>> This is
>>>> how ESAPI does it, for example.
>>>> 
>>>> 
>>>> 
>>>> +Kevin Wall - as you requested a long time ago, let's have that G+
>>>> discussion on the crypto chapter. I totally agree it needs to be
>>> different
>>>> than the ASVS outline. I would like you to lead the re-development of
>>> that
>>>> chapter, and to bring in people you feel that could help you write it
>>> to the
>>>> standards you want to see.
>>>> 
>>>> 
>>>> 
>>>> thanks,
>>>> 
>>>> Andrew
>>>> 
>>>> 
>>>> _______________________________________________
>>>> Owasp-guide mailing list
>>>> Owasp-guide at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-guide
>>>> 
>>>> 
>>>> _______________________________________________
>>>> Owasp-guide mailing list
>>>> Owasp-guide at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-guide
>>>> 
>>> _______________________________________________
>>> Owasp-guide mailing list
>>> Owasp-guide at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-guide
>>> 
>> 
>> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.owasp.org/pipermail/owasp-guide/attachments/20130328/6c702e99/attachment.html>
> 
> ------------------------------
> 
> _______________________________________________
> Owasp-guide mailing list
> Owasp-guide at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-guide
> 
> 
> End of Owasp-guide Digest, Vol 49, Issue 6
> ******************************************


More information about the Owasp-guide mailing list