[Owasp-guide] References in the DevGuide

Kevin W. Wall kevin.w.wall at gmail.com
Thu Jul 3 04:43:23 UTC 2014

Actually, so far, I've been pretty impressed by the quality of the
crypto-related materials on
Wikipedia. In general, they are accurate, complete, and for the most
part, approachable.
Certainly there are exceptions. And of course the biggest risk is that
they can be edited
by anyone who is pretty much clueless.

By contrast, OWASP is exceptionally weak in this area and most of the
academic papers
on the subject are beyond the comprehension of the casual developer or
security person.
I even struggle with many of them and have to read and re-read them a
few times until
I get the gist of it. And I just don't think anyone but a diehard
crypto person would ever
read most of those papers because many of them are dense and laden with maths
that would make the average Joe Developer's head spin.

So that's why I try to reference good books when possible. E.g, I find the book
_Handbook of Applied Cryptography_ by Menezes, et al to be quite approachable
an a version of it is online to boot.

OTOH, here's what I currently have for my references:

* http://www.keylength.com/
* Alfred Menezes, Paul van Oorschot, Scott Vanstone, Handbook of
Applied Cryptography, 1997, CRC Press, ISBN 0-8493-8523-7. (Online:
* NIST Special Publications 800-57, Recommendation for Key Management
– Part 1: General (Revision 3). (Online:
* ENISA (editor: Nigel P. Smart), Algorithms, Key Sizes, and
Parameters Report: 2013 Recommendations,
* Neils Ferguson, Bruce Schneier, Tadayoshi Kohno, Cryptography
Engineering: Design Principles and Practical Applications, 2010, Wiley
Publishing Inc, ISBN 978-0=470-47424-2.

BTW, you never responded to my email about the "path" that we use for
embedding images?
I see the 'images' directory, but do we use "/images/img.png" or
"file://images/img.png" or
file:images/img.png" or what?


On Wed, Jul 2, 2014 at 11:55 PM, Andrew van der Stock
<vanderaj at owasp.org> wrote:
> Hi folks,
> When writing new chapters, I don't mind references to Wikipedia, but please
> reference primary sources (such as academic papers, blogs, etc, and links to
> OWASP first, and Wikipedia last. The OWASP Wiki should be the canonical web
> application security body of knowledge. Wikipedia is a good general source
> of information, but is not a primary source.
> For more information about citing Wikipedia, please review this blog post
> from Thesis Whisperer (which is an excellent research blog for those who are
> doing their masters or PhD dissertations).
> http://thesiswhisperer.com/2011/05/05/what-the-wiki/
> If there's a gap at OWASP, let's talk about the gap as we need the owasp.org
> wiki to be complete.
> Again, I don't mind linking to Wikipedia with care, but I want us to be a
> primary source and to reference other primary sources before referencing a
> general purpose reference.
> thanks,
> Andrew
> _______________________________________________
> Owasp-guide mailing list
> Owasp-guide at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-guide

Blog: http://off-the-wall-security.blogspot.com/
NSA: All your crypto bit are belong to us.

More information about the Owasp-guide mailing list