[Owasp-leaders] (& how hard is to find download links on the OWASP website) Re: [Owasp-topten] (no subject)

Mike Boberski mike.boberski at gmail.com
Sun Sep 20 12:14:25 EDT 2009


FYI, no committee had anything to do with the PDFs, not the slightest
involvement whatsoever, I created all of the different PDF's referenced in
my email, they weren't created with the goal to meet any requirements, just
decided to share them with OWASP since thought they might be more generally
useful, after creating them for my own purposes.

Perhaps begs the question about what I think of the documentation threads
(and perhaps the committees, but I won't go there), since what I've produced
is "fantastic".

I would encourage all projects to have a one-pager, and all tool projects to
get their projects under Google Code and have both an install guide, release
notes, and ideally also a getting started guide; if an API, the minimum
would also include interface docs.

Projects are otherwise just dust in the wind, at least from most users'
perspective.

Best,

Mike


On Sun, Sep 20, 2009 at 11:55 AM, Seba <seba at owasp.org> wrote:

> Dinis,
>
> as always, you can make your point :-)
> I hope you had a good time in the park.
>
> The GPC did a fantastic job in creating these templates.
>
> I hope everybody understands that OWASP is not only about creating
> fantastic stuff.
> OWASP is of course also about sharing this with the 'outside world'.
>
> I am convinced that the people on the different committees and all the
> other owasp leaders are in the unique position to improve and streamline the
> sharing part. This is not something we should 'outsource' to a marketing or
> PR department.
>
> Seba
>
> On Sun, Sep 20, 2009 at 3:32 PM, dinis cruz <dinis.cruz at owasp.org> wrote:
>
>> Thanks for the links Michael (nice example of the usefulness  of those
>> 'bureaucratic' pdf)
>> And just to try to show in a graphical way, why we need standards when
>> presenting our project's basic information, here is a workflow (hopefully as
>> accurate as I can replicate a normal user (i.e. not a experienced OWASP
>> leader)) who is trying to answer the question
>>
>> *"So, where is the latest version of the OWASP Top 10?"   *(note: I
>> started this by trying to add the 'Owasp top 10' download link to this
>> thread  (and in fact this is real-world question asked recently by Tom B to
>> Paulo Coimbra))
>>
>> [in the words/mind of a normal user trying to find this link]
>>
>>    1. probably the best way to start is on the OWASP home page:
>>    http://www.owasp.org/index.php/Main_Page
>>    2. wooooaaahh, that is a lot of links and information, hummm, in the
>>    side there is this thing called 'OWASP Projects' let me click in there to
>>    3. wooooaaahh, that is also a lot of stuff!!!!
>>    4. I think I will google it (   ... the most sharp-eyed probably
>>    noticed that there is a link for the OWASP Top 10 on the owasp home page and
>>    that (if you scroll down) that is also a link inside the projects page in
>>    the 'Release Quality Projects' tab ... )
>>    5. ahh, that's better
>>    http://www.google.co.uk/#hl=en&source=hp&q=owasp+top+10
>>    6. That said, I'm a bit confused here, hit #1 points to *Category:OWASP
>>    Top Ten Project** - OWASP* and link #2 points to *Top 10 2007 - OWASP*, which one is the one I want?
>>    7. That name is quite weird *'**Category:OWASP Top Ten Project -
>>    OWASP' (what does 'category mean'? why is OWASP repeated twice in the
>>    name?) , but ... Google always know better, so I am going to use the first
>>    link: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project*
>>    8. WTF!!!, where is the download link?
>>    9. Ok, I don't want to buy a book (download link anybody!!! 2009
>>    here!!)
>>    10. It looks like there is a stable version and some older versions,
>>    should it be that 'stable' means the latest version? And If I click on that
>>    link, will that take me directly to the download?
>>    11. Before that, let me see if that damm download link is anywhere on
>>    this page
>>    12. Ok, there are a bunch of 'Top 10 users' (...I know that sherlock,
>>    why do you think I want to download the OWASP top 10?)
>>    13. I can give them feedback ... what no online form? I actually have
>>    to go into my email reader and send in an email to
>>    topten at lists.owasp.org (CCed) , please don't tell me I have to be
>>    subscribed to that list in order to send my feedback *(DINIS note: I'm
>>    CCing topten at lists.owasp.org on this email, but I am very sure that
>>    that list required moderation (which is actually a good thing for
>>    controlling SPAM, but not a good thing for providing feedback))*
>>    14. Then there are the project sponsors (some guys called 'Aspect
>>    Security'), are they the guys that I will have to contact to get this
>>    download link? Also I thought that Top 10 was a massive collaboration
>>    process, is Aspect the only author?
>>    15. Then it gets better :(
>>    16. there are 31 pages/links under Pages in the *category "OWASP Top
>>    Ten Project"* section, but they are missing *D* for DOWNLOAD
>>    17. Ahh wait, there is a PPT in there ... is the PPT about the OWASP
>>    10 top, or a presentation about the OWASP Top 10 ... NO ... is it called
>>    *OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10.ppt *which
>>    sounds quite interesting but not what I am looking for
>>    18. OK, lets go back up and follow some of these links, that 'stable'
>>    one looks like a good bet. That said, why is the link called OWASP Top
>>    10 2007 <http://www.owasp.org/index.php/Top_10_2007> aren't we in
>>    2009? is 2007 the latest version, where does it say that 2007 is the latest
>>    version? is there a 2009 version on the works? (I can see a link to 'Old
>>    versions' what about a link to 'future versions'!!)
>>    19. Anyway, lets look at http://www.owasp.org/index.php/Top_10_2007with a bit of luck that will either be the download link or it will contain
>>    the download link in a very easy & obvious location
>>    20. Hummm, My head is starting to hurt there,
>>    21. This is the first content that I can see on this page:
>>       - "... Welcome to the OWASP Top 10 2007! This totally re-written
>>       edition lists the most serious web application vulnerabilities, *discusses
>>       how to protect against them, and provides links to more information.
>>       *
>>       - *The OWASP Top 10 has been translated into French. Click Here<https://www.owasp.org/images/c/ce/OWASP_Top_10_2007_-_French.pdf>for the French Translation!
>>       *
>>    - *The OWASP Top 10 for Java Enterprise Edition is available for
>>       download **here<https://www.owasp.org/images/8/89/OWASP_Top_10_2007_for_JEE.pdf>..."
>>       *
>>    22. Ok, call me stupid but!!
>>       - Where is the link to the ENGLISH version of the OWASP Top 10! (Do
>>       I need to grab the French version and translate it into English? (Hey I'm up
>>       to trying anything by now))
>>    - This totally *'re-written ... most serious...' *list is from 2007
>>       right? (as btw, was it *written* in 2007 or *published* in 2007)?
>>    - Does this mean that the OWASP Top 10 is actually the OWASP Top 10
>>       for Java Enterprise? , I though the Top 10 was for Web Applications.
>>    23. Getting desperate here ... hey .. inside the AIM Section there is
>>    a link called Where to Go From Here<http://www.owasp.org/index.php/Top_10_2007-Where_to_Go_From_Here>let's click on it ( ... work with me here,
>>    *'Where to Go From here? ---> to the DOWNLOAD PAGE!!!* :) )
>>    24. humm, no luck in
>>    http://www.owasp.org/index.php/Top_10_2007-Where_to_Go_From_Here page
>>    ... again that sounds interesting, but not what I want, and no sigh to the
>>    download link
>>    25. back in http://www.owasp.org/index.php/Top_10_2007 the next link
>>    on the Aim section points to a 300 page OWASP Development Guide<http://www.owasp.org/index.php/OWASP_Guide_Project>which (unless it contains the OWASP Top 10 in the foreword, it is not what I
>>    want)
>>    26. Then we have the acknowledgments , followed by a Summary (which
>>    seems to link to parts of the OWASP Top 10, but I want the DOWNLOADable PDF
>>    or Word Document)
>>    27. HEY!!!! looks like we're getting there, the next section is called
>>    * '**A Note About The Different Versions'* and it starts by saying*"...While the only official version of the OWASP Top Ten 2007 list is the
>>    downloadable English PDF version,..." *.. so Alleluia!!! there is a
>>    PDF of this document!!!! all I need is to find it
>>    28. Ok .. hold your breath ... there is a section called *Downloadable
>>    Versions* , if the english version is not here I will give up!
>>    29. NO!!!!!!!!!!!!!!!!!!!!!
>>    30. There is no english version!!!!!!! this is what that section has
>>       - You can download the Top 10 2007 (Final) here:
>>    - (PDF, 930 kb)<http://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf>
>>          - (French Version PDF, 455 kb)<https://www.owasp.org/images/c/ce/OWASP_Top_10_2007_-_French.pdf>
>>          - (Korean Version PDF, 768 kb)<http://www.metasecurity.org/owasp/OWASP_Top_10_2007_Korean.pdf>
>>          - (Turkish Version PDF, 718 kb)<http://csirt.ulakbim.gov.tr/dokumanlar/Ceviri_OWASP_ilk10_2007.pdf>
>>          - (Brazilian Portuguese PDF, 329 kb)<http://www.owasp.org/images/4/42/OWASP_TOP_10_2007_PT-BR.pdf>
>>          - (Spanish PDF, 488kb)<https://www.owasp.org/images/a/ae/OWASP_Top_10_2007_Spanish.pdf>
>>          - OWASP Top 10 for Java Enterprise Edition (PDF, 630 kb)<https://www.owasp.org/images/8/89/OWASP_Top_10_2007_for_JEE.pdf>
>>          - Looking for a version in another language? We could use your
>>          help translating. Contact Andrew van der Stock (vanderaj ...(@)...
>>          owasp.org) to help translating the OWASP Top 10 into your
>>          language.
>>       31. There is an version in French, Korean, Turkish,
>>    Brazilian/Portuguese, Spanish and that Java Enterprise one that keeps coming
>>    back to haunt me
>>    32. I give up
>>    33. .... close browser ...
>>    34. ... grab a coffee...
>>    35. ...
>>    36. ... still need to get that Owasp Top 10 pdf ...
>>    37. ...
>>    38. ... open browser
>>    39. ...
>>    40. Ok, let's do this, come on, it can't be that hard!
>>    41. lets try this again
>>    42. opening www.owasp.org
>>    43. hey.. there is a link on the home page to the OWASP Top 10 ...
>>    humm.... was that there before? ... let's click on it
>>    44. ok now I'm again at
>>    http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project , let me
>>    try that Book thing at the top, since it is the first thing on the page, so
>>    it must be important
>>    45. clicking on the downloaded or purchased.<http://www.lulu.com/content/1400974>
>>    46. OK ... I'm in another website http://www.lulu.com/content/1400974(is this owned by OWASP?, can't see their logo anywere!)
>>    47. The cover looks good, but WHERE IS THE DOWNLOAD LINK??
>>    48. Humm ... has OWASP been HACKED? this looks like a scam, They
>>    (owasp website) said that I could download or purchase here, but all this
>>    website is trying to do is to get me to buy this book and give them my
>>    Credit Card details ... ahh, maybe the owasp link is wrong and it should say
>>    'download AND purchase' , or more accurately 'purchase AND download'
>>    49. ... WHAT IS GOING ON, I though OWASP was an Open organization ...
>>    this is not a good sign ...
>>    50. but ... I have hope that I will still be able to get that damm
>>    download link ...
>>    51. lets go back to google and let me be more specific on my search:
>>    'owasp top 10 download'
>>    http://www.google.co.uk/#hl=en&source=hp&q=owasp+top+10+download
>>    52. first link points to http://www.owasp.org/index.php/Top_10_2007
>>    53. ok... been here, this is the page that has the
>>    http://www.owasp.org/index.php/Top_10_2007#Downloadable_Versionssection
>>    54. let's be real, ... it can't be that the English version is not
>>    here somewhere
>>    55. WAIT!!!! look at that first link? (PDF, 930 kb)<http://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf>could it be that this is the English version!!! AHHH maybe it is an
>>    * 'intelligence hacking test' * where if '*you are not good enough to
>>    find that link you deserve to be hacked!!!' *(and not worthy to
>>    belonging to the club of the *'People who have read the OWASP Top 10
>>    in english'* )
>>    56. Now, I'm motivated ... lets click on that link!
>>    57. SUCCESS!!!!!
>>    58. Here is the OWASP_Top_10_2007.pdf<http://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf>
>>    59. ...
>>    60. ... now all I have to do is read it and understand what it says so
>>    that I can protect my app :)
>>
>> (Back to Dinis)
>>
>> HUFFF!!! that took a while, sorry guys I didn't meant for it to take that
>> long.
>>
>> Just to finish my chain of thought, please try to find the download link
>> here (and if please 'start a timer and calculate how many seconds it will
>> take you')
>>
>>    - (linked from the OWASP home page) *OWASP Testing Guide:*
>>    http://www.owasp.org/index.php/Category:OWASP_Testing_Project
>>
>> OK, did you made a note of how long it took you? Now do the same think for
>> these two projects
>>
>>
>>    - (linked from the OWASP home page) *OWASP Code Review Guide*:
>>    http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project
>>    - (linked from the OWASP Projects page as a 'Release Quality Project')
>>    *OWASP Ruby on Rails Security Guide V2*
>>    http://www.owasp.org/index.php/Category:OWASP_Ruby_on_Rails_Security_Guide_V2
>>
>> Ok, not finished yet, now (always keeping score of how long it took you to
>> find that damm download link), do the same for these projects
>>
>>    - (linked from the OWASP home page)
>>    http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
>>    - (linked from the OWASP home page)
>>    http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
>>    - (linked from the OWASP home page)
>>    http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
>>    - (linked from the OWASP home page)
>>    http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
>>    - (linked from the OWASP home page)
>>    http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
>>    - (linked from the OWASP home page)
>>    http://www.owasp.org/index.php/Category:OWASP_Guide_Project
>>    - (linked from the OWASP home page)
>>    http://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model(Still one click too many, but at least very obvious)
>>    - (linked from the OWASP home page)
>>    http://www.owasp.org/index.php/Category:OWASP_Legal_Project
>>
>> If have not given up by now , you could continue here
>> http://www.owasp.org/index.php/Category:OWASP_Download (which is the link
>> that you get on google when searching for OWASP and click on the 'download'
>> link (under the #1 search results)
>>
>> OK, and that was just for the download link. Try doing the same exercise
>> for:
>>
>>    - 1 line description about that project
>>    - 1 paragraph description about that project
>>    - who is the project leader? how do I contact him/her
>>    - where is the link to the mailing list (to subscribe or to read its
>>    archives)
>>    - is this an active project? (or if it is inactive/ofphaned who do I
>>    talk to?)
>>    - what license is this project released under? (*"...I know that OWASP
>>    is open source, but some licenses work for me and some don't..."*)
>>    - what is the project roadmap? *("...i.e. what is the current plans
>>    and what is going to happen next.."*)
>>    - is there a 1 page (maybe even in (shock horror) pdf format) about
>>    this project (*"... so that I can get a top level view of what it is?
>>    (and maybe send/give it to some colleagues of mine that are interested ..."
>>    *)
>>
>> And those are the easy questions, what about:
>>
>>    - Who uses this project?
>>    - Has this project been reviewed by anybody?
>>    - Has this tool been though a security review? How do I report
>>    vulnerabilities in this tool?
>>    - I want to use this project on my company, is there any documentation
>>    on how to deploy this on a xxx development environment?
>>
>> Now ... remember that OWASP has 100+ projects and we need a scalable
>> solution to deal with the issues I raised above.
>>
>> To solve this, the GPC has come up (after a public consultation with the
>> owasp-leaders) what we call the Assessment_Criteria_v2.0<http://www.owasp.org/index.php/Assessment_Criteria_v2.0>which is basically an attempt to give the OWASP project leaders a path into
>> solving the 'information/product management problem' we have at OWASP.
>>
>> The good news is that we (finally) at the GPC have come up with a
>> technologically solution (based on our current WIKI technology) to enable
>> the easy edit, management and presentation of our projects.
>>
>> To see this in action take a look at this page
>> GPC_Project_Details/OWASP_Live_CD<http://www.owasp.org/index.php/GPC_Project_Details/OWASP_Live_CD>whose content is entered via a simple
>> * {variable name = content}* format (see
>> http://www.owasp.org/index.php?title=GPC_Project_Details/OWASP_Live_CD&action=edit)
>> and whose layout is mapped via a WIKI template:
>> http://www.owasp.org/index.php/Template:OWASP_Project_Info
>>
>> This in itself, is already a massive leap forward (like you guys who have
>> tried to edit Paulo's tables in past will know very well :) ), BUT the
>> really goodie, is the fact that we can reuse this content :)
>>
>> Check out these two pages, still not as clean as they will be in the
>> future, but a good preview of what we can do now:
>>
>>
>>    - http://www.owasp.org/index.php/OWASP_Project_Details_Table
>>    - http://www.owasp.org/index.php/OWASP_Project_Details_Table_2
>>
>>
>> Finally, last request, we (GPC) need help in converting the current
>> projects into the new template, so if you can help it would be great (this
>> is just a 'we need your help' beta request, since Paulo is preparing an
>> email about this which will contain more details about: a) what has already
>> been done, b( how the system works and c) what still needs to be done)
>>
>> Ok, got to go to the park with the family (nice Sunny day here in London
>> today),
>>
>> Dinis Cruz
>>
>>
>>
>> 2009/9/18 Boberski, Michael [USA] <boberski_michael at bah.com>
>>
>>>  http://www.owasp.org/images/4/41/ASVS_One_Page_Handout.pdf
>>> http://www.owasp.org/images/a/a1/Legal_One_Page_Handout.pdf
>>> http://www.owasp.org/images/3/31/ESAPI_One_Page_Handout.pdf
>>>
>>> http://www.owasp.org/images/a/a3/How_ESAPI_Works.pdf
>>> http://www.owasp.org/images/a/ac/LAMP_Should_be_Spelled_LAMPE.pdf
>>>
>>> http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf
>>>
>>> http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
>>> http://www.owasp.org/index.php/ASVS
>>> http://www.owasp.org/index.php/Category:OWASP_Legal_Project
>>>
>>> http://www.owasp.org/index.php/ASVS#tab=FAQ
>>>
>>> Mike B.
>>>
>>>
>>>  ------------------------------
>>> *From:* owasp-topten-bounces at lists.owasp.org [mailto:
>>> owasp-topten-bounces at lists.owasp.org] *On Behalf Of *Nishi Kumar
>>> *Sent:* Friday, September 18, 2009 10:22 AM
>>> *To:* andre at operations.net; OWASP TopTen
>>> *Subject:* [Owasp-topten] (no subject)
>>>
>>> Hi All,
>>>
>>> I have to give a presentation to manager's and executives on OWASP Top 10
>>> and in general how adopting OWASP can help organization develop secure
>>> software. Do you know if there is any existing training material out there
>>> geared towards management and executives that I can leverage. The goal is to
>>> increase awareness of OWASP in my organization.
>>>
>>> Thanks
>>> Nishi Kumar
>>> Systems Architect
>>> Fidelity Nationals
>>>
>>>
>>> ------------------------------
>>> Insert movie times and more without leaving Hotmail®. See how.<http://windowslive.com/Tutorial/Hotmail/QuickAdd?ocid=TXT_TAGLM_WL_HM_Tutorial_QuickAdd_062009>
>>>
>>> _______________________________________________
>>> Owasp-topten mailing list
>>> Owasp-topten at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-topten
>>>
>>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090920/9262c796/attachment-0001.html 


More information about the OWASP-Leaders mailing list