[Owasp-leaders] (& how hard is to find download links on the OWASP website) Re: [Owasp-topten] (no subject)

Dinis Cruz dinis.cruz at owasp.org
Sun Sep 20 14:11:22 EDT 2009


Just to put this in context, Mike is one of GPC's 'toughest'  
'customers' (in a good sense and in good sport :)  )

He his very focused on 'his' project, really cares about anything that  
afects the design of 'his' project and is very sensitive to the  
release status (alpha, beta or quality) of 'his project.

I used the reference to ASVS as Mike's projects because that is how  
most project leaders feel about it. It is their baby and they REALY  
care about it.

And that is great! What we need to do is to 'try' to channel some of  
this energy and good-will into some standardization , so that OWASP- 
wide users can find, understand and consume these great projects.

The reason I like Mike's resistence to GPC ideas and requests, is  
because the day he is happy with the GPC solution, is the day that  
(probably) we've got it right (and as you can see below Mike is still  
very sceptical of the value and usefullness of the work we are doing  
at the GPC (just ask him about what he thinks of the 'new version of  
the Project Assessment Criteria' :) )

That said, most of our differences are quite small, since if you look  
at Mike's paragraph below starting with '...I would recomend.... ' ,  
that is part of what the assessment criteria is asking our leaders to  
'document' and create

Remember that the GPC's scope are ALL Owasp projects, and we have to  
come up with solutions that work across: multiple project types  
(tools, documents & misc), cultures, time-zones, project leaders  
personalities & wiki skills and (probably the most important)  
project's contributors available time & energy.

Btw, the GPC has a regular call every Monday at 10pm London time (5pm  
EST). This is open to participation so if you have GPC specific  
questions feel free to dial in.

Dinis Cruz

On 20 Sep 2009, at 17:14, Mike Boberski <mike.boberski at gmail.com> wrote:

> FYI, no committee had anything to do with the PDFs, not the  
> slightest involvement whatsoever, I created all of the different  
> PDF's referenced in my email, they weren't created with the goal to  
> meet any requirements, just decided to share them with OWASP since  
> thought they might be more generally useful, after creating them for  
> my own purposes.
>
> Perhaps begs the question about what I think of the documentation  
> threads (and perhaps the committees, but I won't go there), since  
> what I've produced is "fantastic".
>
> I would encourage all projects to have a one-pager, and all tool  
> projects to get their projects under Google Code and have both an  
> install guide, release notes, and ideally also a getting started  
> guide; if an API, the minimum would also include interface docs.
>
> Projects are otherwise just dust in the wind, at least from most  
> users' perspective.
>
> Best,
>
> Mike
>
>
> On Sun, Sep 20, 2009 at 11:55 AM, Seba <seba at owasp.org> wrote:
> Dinis,
>
> as always, you can make your point :-)
> I hope you had a good time in the park.
>
> The GPC did a fantastic job in creating these templates.
>
> I hope everybody understands that OWASP is not only about creating  
> fantastic stuff.
> OWASP is of course also about sharing this with the 'outside world'.
>
> I am convinced that the people on the different committees and all  
> the other owasp leaders are in the unique position to improve and  
> streamline the sharing part. This is not something we should  
> 'outsource' to a marketing or PR department.
>
> Seba
>
> On Sun, Sep 20, 2009 at 3:32 PM, dinis cruz <dinis.cruz at owasp.org>  
> wrote:
> Thanks for the links Michael (nice example of the usefulness  of  
> those 'bureaucratic' pdf)
>
> And just to try to show in a graphical way, why we need standards  
> when presenting our project's basic information, here is a workflow  
> (hopefully as accurate as I can replicate a normal user (i.e. not a  
> experienced OWASP leader)) who is trying to answer the question
>
> "So, where is the latest version of the OWASP Top 10?"   (note: I  
> started this by trying to add the 'Owasp top 10' download link to  
> this thread  (and in fact this is real-world question asked recently  
> by Tom B to Paulo Coimbra))
>
> [in the words/mind of a normal user trying to find this link]
> probably the best way to start is on the OWASP home page: http://www.owasp.org/index.php/Main_Page
> wooooaaahh, that is a lot of links and information, hummm, in the  
> side there is this thing called 'OWASP Projects' let me click in  
> there to
> wooooaaahh, that is also a lot of stuff!!!!
> I think I will google it (   ... the most sharp-eyed probably  
> noticed that there is a link for the OWASP Top 10 on the owasp home  
> page and that (if you scroll down) that is also a link inside the  
> projects page in the 'Release Quality Projects' tab ... )
> ahh, that's better http://www.google.co.uk/#hl=en&source=hp&q=owasp+top+10
> That said, I'm a bit confused here, hit #1 points to Category:OWASP  
> Top Ten Project - OWASP and link #2 points to  Top 10 2007 - OWASP ,  
> which one is the one I want?
> That name is quite weird 'Category:OWASP Top Ten Project -  
> OWASP' (what does 'category mean'?  why is OWASP repeated twice in  
> the name?) , but ... Google always know better, so I am going to use  
> the first link: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
> WTF!!!, where is the download link?
> Ok, I don't want to buy a book (download link anybody!!! 2009 here!!)
> It looks like there is a stable version and some older versions,  
> should it be that 'stable' means the latest version?  And If I click  
> on that link, will that take me directly to the download?
> Before that, let me see if that damm download link is anywhere on  
> this page
> Ok, there are a bunch of 'Top 10 users' (...I know that sherlock,  
> why do you think I want to download the OWASP top 10?)
> I can give them feedback ...  what no online form? I actually have  
> to go into my email reader and send in an email to topten at lists.owasp.org 
>  (CCed) , please don't tell me I have to be subscribed to that list  
> in order to send my feedback (DINIS note: I'm CCing topten at lists.owasp.org 
>  on this email, but I am very sure that that list required  
> moderation (which is actually a good thing for controlling SPAM, but  
> not a good thing for providing feedback))
> Then there are the project sponsors (some guys called 'Aspect  
> Security'), are they the guys that I will have to contact to get  
> this download link?  Also I thought that Top 10 was a massive  
> collaboration process, is Aspect the only author?
> Then it gets better  :(
> there are 31 pages/links under  Pages in the category "OWASP Top Ten  
> Project" section, but they are missing D for DOWNLOAD
> Ahh wait, there is a PPT in there ... is the PPT about the OWASP 10  
> top, or a presentation about the OWASP Top 10 ... NO ... is it  
> called OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10.ppt  
> which sounds quite interesting but not what I am looking for
> OK, lets go back up and follow some of these links, that 'stable'  
> one looks like a good bet. That said, why is the link called OWASP  
> Top 10 2007 aren't we in 2009? is 2007 the latest version, where  
> does it say that 2007 is the latest version? is there a 2009 version  
> on the works? (I can see a link to 'Old versions' what about a link  
> to 'future versions'!!)
> Anyway, lets look at http://www.owasp.org/index.php/Top_10_2007 with  
> a bit of luck that will either be the download link or it will  
> contain the download link in a very easy & obvious location
> Hummm, My head is starting to hurt there,
> This is the first content that I can see on this page:
> "... Welcome to the OWASP Top 10 2007! This totally re-written  
> edition lists the most serious web application vulnerabilities,  
> discusses how to protect against them, and provides links to more  
> information.
> The OWASP Top 10 has been translated into French.  Click Here for  
> the French Translation!
> The OWASP Top 10 for Java Enterprise Edition is available for  
> download here   ..."
> Ok, call me stupid but!!
> Where is the link to the ENGLISH version of the OWASP Top 10! (Do I  
> need to grab the French version and translate it into English? (Hey  
> I'm up to trying anything by now))
> This totally 're-written ... most serious...' list is from 2007  
> right? (as btw, was it written in 2007 or published in 2007)?
> Does this mean that the OWASP Top 10 is actually the OWASP Top 10  
> for Java Enterprise?  , I though the Top 10 was for Web Applications.
> Getting desperate here ... hey .. inside the AIM Section there is a  
> link called Where to Go From Here  let's click on it ( ... work with  
> me here, 'Where to Go From here? ---> to the DOWNLOAD PAGE!!! :)  )
> humm, no luck in http://www.owasp.org/index.php/Top_10_2007-Where_to_Go_From_Here 
>  page ... again that sounds interesting, but not what I want, and no  
> sigh to the download link
> back in http://www.owasp.org/index.php/Top_10_2007 the next link on  
> the Aim section points to a 300 page OWASP Development Guide which  
> (unless it contains the OWASP Top 10 in the foreword, it is not what  
> I want)
> Then we have the acknowledgments , followed by a Summary (which  
> seems to link to parts of the OWASP Top 10, but I want the  
> DOWNLOADable PDF or Word Document)
> HEY!!!! looks like we're getting there, the next section is called  
> 'A Note About The Different Versions' and it starts by saying  
> "...While the only official version of the OWASP Top Ten 2007 list  
> is the downloadable English PDF version,..."  .. so Alleluia!!!  
> there is a PDF of this document!!!! all I need is to find it
> Ok .. hold your breath ...  there is a section called Downloadable  
> Versions , if the english version is not here I will give up!
> NO!!!!!!!!!!!!!!!!!!!!!
> There is no english version!!!!!!! this is what that section has
> You can download the Top 10 2007 (Final) here:
> (PDF, 930 kb)
>  (French Version PDF, 455 kb)
>  (Korean Version PDF, 768 kb)
>  (Turkish Version PDF, 718 kb)
>  (Brazilian Portuguese PDF, 329 kb)
>  (Spanish PDF, 488kb)
>  OWASP Top 10 for Java Enterprise Edition (PDF, 630 kb)
> Looking for a version in another language? We could use your help  
> translating. Contact Andrew van der Stock (vanderaj ... 
> (@)...owasp.org) to help translating the OWASP Top 10 into your  
> language.
> There is an version in French, Korean, Turkish, Brazilian/ 
> Portuguese, Spanish and that Java Enterprise one that keeps coming  
> back to haunt me
> I give up
> .... close browser ...
> ... grab a coffee...
> ...
>  ... still need to get that Owasp Top 10 pdf ...
> ...
> ... open browser
> ...
> Ok, let's do this, come on, it can't be that hard!
> lets try this again
> opening www.owasp.org
> hey.. there is a link on the home page to the OWASP Top 10 ...  
> humm.... was that there before?   ... let's click on it
> ok now I'm again at http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project 
>   , let me try that Book thing at the top, since it is the first  
> thing on the page, so it must be important
> clicking on the downloaded or purchased.
> OK ... I'm in another website http://www.lulu.com/content/1400974   
> (is this owned by OWASP?, can't see their logo anywere!)
> The cover looks good, but WHERE IS THE DOWNLOAD LINK??
> Humm ... has OWASP been HACKED? this looks like a scam, They (owasp  
> website) said that I could download or purchase here, but all this  
> website is trying to do is to get me to buy this book and give them  
> my Credit Card details ... ahh, maybe the owasp link is wrong and it  
> should say 'download AND purchase'  , or more accurately 'purchase  
> AND download'
> ... WHAT IS GOING ON, I though OWASP was an Open organization ...  
> this is not a good sign ...
> but ... I have hope that I will still be able to get that damm  
> download link ...
> lets go back to google and let me be more specific on my search:  
> 'owasp top 10 download' http://www.google.co.uk/#hl=en&source=hp&q=owasp+top+10+download
> first link points to http://www.owasp.org/index.php/Top_10_2007
> ok... been here, this is the page that has the http://www.owasp.org/index.php/Top_10_2007#Downloadable_Versions 
>  section
> let's be real, ... it can't be that the English version is not here  
> somewhere
> WAIT!!!! look at that first link? (PDF, 930 kb)  could it be that  
> this is the English version!!! AHHH maybe it is an 'intelligence  
> hacking test'  where if 'you are not good enough to find that link  
> you deserve to be hacked!!!' (and not worthy to belonging to the  
> club of the 'People who have read the OWASP Top 10 in english' )
> Now, I'm motivated ... lets click on that link!
> SUCCESS!!!!!
> Here is the OWASP_Top_10_2007.pdf
> ...
> ... now all I have to do is read it and understand what it says so  
> that I can protect my app :)
> (Back to Dinis)
>
>
> HUFFF!!! that took a while, sorry guys I didn't meant for it to take  
> that long.
>
>
> Just to finish my chain of thought, please try to find the download  
> link here (and if please 'start a timer and calculate how many  
> seconds it will take you')
> (linked from the OWASP home page) OWASP Testing Guide: http://www.owasp.org/index.php/Category:OWASP_Testing_Project
> OK, did you made a note of how long it took you?  Now do the same  
> think for these two projects
>
>
> (linked from the OWASP home page) OWASP Code Review Guide: http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project
> (linked from the OWASP Projects page as a 'Release Quality Project')  
> OWASP Ruby on Rails Security Guide V2 http://www.owasp.org/index.php/Category:OWASP_Ruby_on_Rails_Security_Guide_V2
> Ok, not finished yet, now (always keeping score of how long it took  
> you to find that damm download link), do the same for these projects
> (linked from the OWASP home page) http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
> (linked from the OWASP home page) http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
> (linked from the OWASP home page) http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
> (linked from the OWASP home page) http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
> (linked from the OWASP home page) http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
> (linked from the OWASP home page) http://www.owasp.org/index.php/Category:OWASP_Guide_Project
> (linked from the OWASP home page) http://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model 
>   (Still one click too many, but at least very obvious)
> (linked from the OWASP home page) http://www.owasp.org/index.php/Category:OWASP_Legal_Project
> If have not given up by now , you could continue here http://www.owasp.org/index.php/Category:OWASP_Download 
>  (which is the link that you get on google when searching for OWASP  
> and click on the 'download' link (under the #1 search results)
>
>
> OK, and that was just for the download link. Try doing the same  
> exercise for:
> 1 line description about that project
> 1 paragraph description about that project
> who is the project leader? how do I contact him/her
> where is the link to the mailing list (to subscribe or to read its  
> archives)
> is this an active project? (or if it is inactive/ofphaned who do I  
> talk to?)
> what license is this project released under? ("...I know that OWASP  
> is open source, but some licenses work for me and some don't...")
> what is the project roadmap? ("...i.e. what is the current plans and  
> what is going to happen next..")
> is there a 1 page (maybe even in (shock horror) pdf format) about  
> this project ("... so that I can get a top level view of what it is?  
> (and maybe send/give it to some colleagues of mine that are  
> interested ...")
> And those are the easy questions, what about:
> Who uses this project?
> Has this project been reviewed by anybody?
> Has this tool been though a security review? How do I report  
> vulnerabilities in this tool?
> I want to use this project on my company, is there any documentation  
> on how to deploy this on a xxx development environment?
> Now ... remember that OWASP has 100+ projects and we need a scalable  
> solution to deal with the issues I raised above.
>
>
> To solve this, the GPC has come up (after a public consultation with  
> the owasp-leaders) what we call the Assessment_Criteria_v2.0 which  
> is basically an attempt to give the OWASP project leaders a path  
> into solving the 'information/product management problem' we have at  
> OWASP.
>
>
> The good news is that we (finally) at the GPC have come up with a  
> technologically solution (based on our current WIKI technology) to  
> enable the easy edit, management and presentation of our projects.
>
>
> To see this in action take a look at this page GPC_Project_Details/ 
> OWASP_Live_CD whose content is entered via a simple {variable name =  
> content} format (see http://www.owasp.org/index.php?title=GPC_Project_Details/OWASP_Live_CD&action=edit 
> ) and whose layout is mapped via a WIKI template: http://www.owasp.org/index.php/Template:OWASP_Project_Info
>
>
> This in itself, is already a massive leap forward (like you guys who  
> have tried to edit Paulo's tables in past will know very well :)  ),  
> BUT the really goodie, is the fact that we can reuse this content :)
>
>
> Check out these two pages, still not as clean as they will be in the  
> future, but a good preview of what we can do now:
>
>
> http://www.owasp.org/index.php/OWASP_Project_Details_Table
> http://www.owasp.org/index.php/OWASP_Project_Details_Table_2
>
>
> Finally, last request, we (GPC) need help in converting the current  
> projects into the new template, so if you can help it would be great  
> (this is just a 'we need your help' beta request, since Paulo is  
> preparing an email about this which will contain more details about:  
> a) what has already been done, b( how the system works and c) what  
> still needs to be done)
>
>
> Ok, got to go to the park with the family (nice Sunny day here in  
> London today),
>
>
> Dinis Cruz
>
>
>
>
>
>
> 2009/9/18 Boberski, Michael [USA] <boberski_michael at bah.com>
> http://www.owasp.org/images/4/41/ASVS_One_Page_Handout.pdf
> http://www.owasp.org/images/a/a1/Legal_One_Page_Handout.pdf
> http://www.owasp.org/images/3/31/ESAPI_One_Page_Handout.pdf
>
> http://www.owasp.org/images/a/a3/How_ESAPI_Works.pdf
> http://www.owasp.org/images/a/ac/LAMP_Should_be_Spelled_LAMPE.pdf
> http://www.owasp.org/images/0/01/Getting_started_designing_for_a_level_of_assurance.pdf
>
> http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
> http://www.owasp.org/index.php/ASVS
> http://www.owasp.org/index.php/Category:OWASP_Legal_Project
>
> http://www.owasp.org/index.php/ASVS#tab=FAQ
>
> Mike B.
>
>
> From: owasp-topten-bounces at lists.owasp.org [mailto:owasp-topten- 
> bounces at lists.owasp.org] On Behalf Of Nishi Kumar
> Sent: Friday, September 18, 2009 10:22 AM
> To: andre at operations.net; OWASP TopTen
> Subject: [Owasp-topten] (no subject)
>
> Hi All,
>
> I have to give a presentation to manager's and executives on OWASP  
> Top 10 and in general how adopting OWASP can help organization  
> develop secure software. Do you know if there is any existing  
> training material out there geared towards management and executives  
> that I can leverage. The goal is to increase awareness of OWASP in  
> my  organization.
>
> Thanks
> Nishi Kumar
> Systems Architect
> Fidelity Nationals
>
>
> Insert movie times and more without leaving Hotmail®. See how.
>
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090920/a87b704e/attachment-0001.html 


More information about the OWASP-Leaders mailing list