[Owasp-leaders] OWASP Developer Guide Grant Proposal

Mike Boberski mike.boberski at cox.net
Mon Jan 12 19:45:44 EST 2009

While I don't think there's anyone on this list who's not empathetic, I
don't think it is appropriate to support one OWASP project or another with a
such a disproportionally-sized grant unless it is being sponsored by a
corporate member. In which case, I'm not sure why they wouldn't hire
whomever! I guess I'm not sure why my opinion is being solicited, though.
This solicitation is not consistent with my understanding of how the process
works. Perhaps I'm in error or the process changed, though.

-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of vanderaj
Sent: Monday, January 12, 2009 3:51 PM
To: owasp-leaders at lists.owasp.org
Subject: [Owasp-leaders] OWASP Developer Guide Grant Proposal

Hi folks,

Recently, I found myself with a whole lot more time going forward, and
instead of immediately seeking new employment in Australia, I would like to
seek an OWASP Grant to work full time on the Developer Guide for a period of
time, probably four to five months total. I think I can make huge in-roads
of a major re-vamp if it's my only worry for a while, and of course if I can
rustle up a few contributors to help!

I'd be interested in getting your input on the grant idea, and of course,
I'm always interested in contributors to help the Developer Guide process
along the way!

-- Included message I sent to the Board previously --

Hi folks,

I'd like to apply for a grant from OWASP to work on the Developer Guide full
time for a few months.

The Developer Guide is the genesis of OWASP, and one of the most read and
used OWASP projects. Unfortunately, due to my commitments elsewhere, I've
let it fall behind the projects. It's more than time to bring it up to date,
tighten its focus to be solely about Building secure software, help improve
related projects, and bring it into line with the ASVS and use ESAPI for its
example code snippets. I would like to use a recent change in my employment
status as a boon for OWASP and the world wide webappsec community, but I can
only do that if I can obtain funding to allow me to do this full time for a

Goal: To completely revamp the Developer Guide, working with the existing
text, recruiting others to help author some of the text (see below for
details), and making improvements or writing new articles as necessary.

The Developer Guide's focus will change (as planned previously) to be solely
about building new secure software, and not testing or reviewing existing
software. Therefore, the Developer Guide will contribute existing material
and link to the ASDR, the other Guides, and the ASVS, obviously working with
the help of OWASP's technical editor and the other project leaders and their
respective teams so that the changes are not surprises for the leaders of
those projects, and correctly integrated. As I will be using ESAPI as the
code examples, I will also help drive the adoption of ESAPI, as well as
improve the ESAPI for PHP implementation.

As this a much bigger project than many other grant or season of code
projects, I would suggest that there are multiple delivery stages, with a
progress payment for successfully completing each stage. I think it makes
the most sense for four stages, each one to two months long.

I would like to work on this full time if the grant provides sufficient
funds to support my family during this effort. If I am able to work on this
full time, I can have it finished by OWASP EU in May of this year,
especially if I have sufficient volunteer contributors.
If the grant cannot support us, I would then try to deliver the project by
OWASP USA in the latter part of the year, as I will have to seek full time
employment upon my return to Australia.

I would like to suggest three grants of $4000 USD each for the first three
stages and the last stage of $2000 (so totalling $14,000 USD) over a period
of one to two months each to allow me to work on this full time until its

Considering the size of the project - a publishable book of approximately
300 pages and major enhancements to the ADSR, heavy linking and some
improvements to the Code Review, Testing, ESAPI, and ASVS projects,
hopefully this proposal will find a welcome reception.
Obviously, as all copyright and rights remains with OWASP, OWASP can publish
the resulting book for profit, offsetting this grant's cost to OWASP.

Stage One: The vital few

In the first stage, I intend to:

* Re-vamp a few key chapters which are used by other OWASP materials, in
particular, the Top 10, ASVS, and ADSR.
* Start recruiting volunteer contributors to re-vamp both first and second
stage chapters
* Farm out a few of the first stage chapters to current contributors, and if
I get a lot more, some of the second stage chapters to give them more time
to complete their work

I have a small number of contributors today, but nothing motivates
contributions like a leader doing a lot of work (see the Testing Guide for

The main focus is to re-vamp the following chapters:

* Authentication (in progress today)
* Access Control
* Session Management (in progress today via a contributor)
* Canonicalization and Input validation
* Database Security (in progress today via a contributor)

During the revamp, in concert with OWASP's technical editor and the other
project leads, I will move all testing material to the testing guide (if it
needs it) and linking, moving the code review material to the code review
guide (if it needs it) and linking, ensure that attacks and weaknesses are
linked to the ADSR and ensure that the ADSR article is neutral and factual
as per a dictionary or encyclopedia article. The main body of the chapter
will then be either put out to a recruit for re-writing or I will re-write
it personally.

At completion of this stage, the above chapters will make the Developer
Guide more useful for Architects and Developers as a secure building guide
for the majority of issues found in the OWASP Top 10.
All applicable build related controls found in the ASVS will be covered by
the Developer Guide. I will note the ASVS level for each Developer Guide
implementation / control, and link to the verification in ASVS and other
Guides to eliminate redundancy and to centralize information.

Stage Two: The rest of the edits

Stage Two's focus is to farm out all remaining chapters (approximately
10-15) to contributors, using the new Stage 1 chapters as "templates of
goodness", with an outline of what I believe needs to be covered. I believe
this is the quickest way to complete the Developer Guide before OWASP EU.
Therefore, my role in Stage Two is to be the editor..

As editor, I will make sure the articles are high quality and have a "single
voice", iron out any English as a second language issues, and ensure links
are in place, and ensure old material has been appropriately moved to the
other Guides. I will work with OWASP's technical editor to ensure that these
changes are well known and communicated amongst all the affected projects
and leaders.

Stage Three: Fit and Finish

Stage Three is all about fit and finish, diagrams, and code snippets:

* Ensure that all chapters have been received from stage two contributors,
or re-vamp them myself. This is a last resort as it may delay the completion
of this stage.
* Ensure each chapter is written to the same standard as all the others
* Write as many code examples using ESAPI as possible and ready a code
snippet gallery for distribution online with the Developer Guide so folks
can cut and paste it
* Create standardized diagrams (UML sequence diagrams, etc) for concepts
that are more easily explained in that way
* Create standardized screen shots as necessary
* Communicate with OWASP's graphic designer on any "artistic" diagrams that
may be necessary so that the Developer Guide feels professional and has a
single graphical look and feel
* Research latest real world examples and CVE (via NIST) and place them in
the footnotes for each chapter
* Ensure links to the ASVS, Top 10, Coding Guide, Testing Guide and ADSR are
as complete as possible, and make sure those destinations are relevant and
useful in themselves

The majority of code examples will use ESAPI for J2EE as it is complete and
stable. However, it's important to show code snippets in as many common
languages as possible. Therefore, on a few key examples, I will use the
other ports of ESAPI (.NET and PHP), and if necessary make small updates for
ESAPI for PHP so that it can be API compatible with its J2EE counterpart.
This will be very selective as I'm not setting out to complete the ESAPI for
PHP port as part of this effort, but just enough to prove that ESAPI works
in multiple languages. That said, such improvements will be fed directly
back to the ESAPI for PHP port, thus benefiting that project, which will
hopefully attract more developers and contributors to it.

Stage Four: Publication

The final stage is to prepare a manuscript for publication, either at Lulu
(using the OWASP word document template), or a publisher's manuscript

Once each chapter is copy complete with all diagrams and code snippets, I
will farm out the finalized chapters for public peer review. Any review
changes will be made to both the Word and Wiki versions.

The document set would form the basis of the PDF for the web site. As this
is a shorter stage, I would only be seeking USD $2000 for this stage grant.

Please let me know your thoughts, and hopefully, with some luck, I'd love to
start work on this as soon as possible.

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

More information about the OWASP-Leaders mailing list