[Owasp-leaders] OWASP Developer Guide Grant Proposal

vanderaj vanderaj vanderaj at owasp.org
Mon Jan 12 15:50:32 EST 2009

Hi folks,

Recently, I found myself with a whole lot more time going forward, and
instead of immediately seeking new employment in Australia, I would
like to seek an OWASP Grant to work full time on the Developer Guide
for a period of time, probably four to five months total. I think I
can make huge in-roads of a major re-vamp if it's my only worry for a
while, and of course if I can rustle up a few contributors to help!

I'd be interested in getting your input on the grant idea, and of
course, I'm always interested in contributors to help the Developer
Guide process along the way!

-- Included message I sent to the Board previously --

Hi folks,

I'd like to apply for a grant from OWASP to work on the Developer
Guide full time for a few months.

The Developer Guide is the genesis of OWASP, and one of the most read
and used OWASP projects. Unfortunately, due to my commitments
elsewhere, I've let it fall behind the projects. It's more than time
to bring it up to date, tighten its focus to be solely about Building
secure software, help improve related projects, and bring it into line
with the ASVS and use ESAPI for its example code snippets. I would
like to use a recent change in my employment status as a boon for
OWASP and the world wide webappsec community, but I can only do that
if I can obtain funding to allow me to do this full time for a while.

Goal: To completely revamp the Developer Guide, working with the
existing text, recruiting others to help author some of the text (see
below for details), and making improvements or writing new articles as

The Developer Guide's focus will change (as planned previously) to be
solely about building new secure software, and not testing or
reviewing existing software. Therefore, the Developer Guide will
contribute existing material and link to the ASDR, the other Guides,
and the ASVS, obviously working with the help of OWASP's technical
editor and the other project leaders and their respective teams so
that the changes are not surprises for the leaders of those projects,
and correctly integrated. As I will be using ESAPI as the code
examples, I will also help drive the adoption of ESAPI, as well as
improve the ESAPI for PHP implementation.

As this a much bigger project than many other grant or season of code
projects, I would suggest that there are multiple delivery stages,
with a progress payment for successfully completing each stage. I
think it makes the most sense for four stages, each one to two months

I would like to work on this full time if the grant provides
sufficient funds to support my family during this effort. If I am able
to work on this full time, I can have it finished by OWASP EU in May
of this year, especially if I have sufficient volunteer contributors.
If the grant cannot support us, I would then try to deliver the
project by OWASP USA in the latter part of the year, as I will have to
seek full time employment upon my return to Australia.

I would like to suggest three grants of $4000 USD each for the first
three stages and the last stage of $2000 (so totalling $14,000 USD)
over a period of one to two months each to allow me to work on this
full time until its done.

Considering the size of the project - a publishable book of
approximately 300 pages and major enhancements to the ADSR, heavy
linking and some improvements to the Code Review, Testing, ESAPI, and
ASVS projects, hopefully this proposal will find a welcome reception.
Obviously, as all copyright and rights remains with OWASP, OWASP can
publish the resulting book for profit, offsetting this grant's cost to

Stage One: The vital few

In the first stage, I intend to:

* Re-vamp a few key chapters which are used by other OWASP materials,
in particular, the Top 10, ASVS, and ADSR.
* Start recruiting volunteer contributors to re-vamp both first and
second stage chapters
* Farm out a few of the first stage chapters to current contributors,
and if I get a lot more, some of the second stage chapters to give
them more time to complete their work

I have a small number of contributors today, but nothing motivates
contributions like a leader doing a lot of work (see the Testing Guide
for results!).

The main focus is to re-vamp the following chapters:

* Authentication (in progress today)
* Access Control
* Session Management (in progress today via a contributor)
* Canonicalization and Input validation
* Database Security (in progress today via a contributor)

During the revamp, in concert with OWASP's technical editor and the
other project leads, I will move all testing material to the testing
guide (if it needs it) and linking, moving the code review material to
the code review guide (if it needs it) and linking, ensure that
attacks and weaknesses are linked to the ADSR and ensure that the ADSR
article is neutral and factual as per a dictionary or encyclopedia
article. The main body of the chapter will then be either put out to a
recruit for re-writing or I will re-write it personally.

At completion of this stage, the above chapters will make the
Developer Guide more useful for Architects and Developers as a secure
building guide for the majority of issues found in the OWASP Top 10.
All applicable build related controls found in the ASVS will be
covered by the Developer Guide. I will note the ASVS level for each
Developer Guide implementation / control, and link to the verification
in ASVS and other Guides to eliminate redundancy and to centralize

Stage Two: The rest of the edits

Stage Two's focus is to farm out all remaining chapters (approximately
10-15) to contributors, using the new Stage 1 chapters as "templates
of goodness", with an outline of what I believe needs to be covered. I
believe this is the quickest way to complete the Developer Guide
before OWASP EU. Therefore, my role in Stage Two is to be the editor..

As editor, I will make sure the articles are high quality and have a
"single voice", iron out any English as a second language issues, and
ensure links are in place, and ensure old material has been
appropriately moved to the other Guides. I will work with OWASP's
technical editor to ensure that these changes are well known and
communicated amongst all the affected projects and leaders.

Stage Three: Fit and Finish

Stage Three is all about fit and finish, diagrams, and code snippets:

* Ensure that all chapters have been received from stage two
contributors, or re-vamp them myself. This is a last resort as it may
delay the completion of this stage.
* Ensure each chapter is written to the same standard as all the others
* Write as many code examples using ESAPI as possible and ready a code
snippet gallery for distribution online with the Developer Guide so
folks can cut and paste it
* Create standardized diagrams (UML sequence diagrams, etc) for
concepts that are more easily explained in that way
* Create standardized screen shots as necessary
* Communicate with OWASP's graphic designer on any "artistic" diagrams
that may be necessary so that the Developer Guide feels professional
and has a single graphical look and feel
* Research latest real world examples and CVE (via NIST) and place
them in the footnotes for each chapter
* Ensure links to the ASVS, Top 10, Coding Guide, Testing Guide and
ADSR are as complete as possible, and make sure those destinations are
relevant and useful in themselves

The majority of code examples will use ESAPI for J2EE as it is
complete and stable. However, it's important to show code snippets in
as many common languages as possible. Therefore, on a few key
examples, I will use the other ports of ESAPI (.NET and PHP), and if
necessary make small updates for ESAPI for PHP so that it can be API
compatible with its J2EE counterpart. This will be very selective as
I'm not setting out to complete the ESAPI for PHP port as part of this
effort, but just enough to prove that ESAPI works in multiple
languages. That said, such improvements will be fed directly back to
the ESAPI for PHP port, thus benefiting that project, which will
hopefully attract more developers and contributors to it.

Stage Four: Publication

The final stage is to prepare a manuscript for publication, either at
Lulu (using the OWASP word document template), or a publisher's
manuscript format.

Once each chapter is copy complete with all diagrams and code
snippets, I will farm out the finalized chapters for public peer
review. Any review changes will be made to both the Word and Wiki

The document set would form the basis of the PDF for the web site. As
this is a shorter stage, I would only be seeking USD $2000 for this
stage grant.

Please let me know your thoughts, and hopefully, with some luck, I'd
love to start work on this as soon as possible.


More information about the OWASP-Leaders mailing list