[Owasp-leaders] Attack Surface Analysis
vanderaj at owasp.org
Sat Sep 1 05:15:20 UTC 2012
I like to see "Stories", with a fairly straightforward path from start to
middle to finish. In a cheat sheet, this means a short story amount of
exposition and character development.
*Why* - what use case does this cheat sheet apply to. It's currently called
Introduction, but I think it should answer the question - "why should I
care about defining and measuring the attack surface".
The *How *is answered fully, and that requires little attention, but as
it's a process, a simple process diagram would be nice.
The *What *is currently an abstract list, so an example illustrating the
point using a use case that'd we all be familiar with; something like a
Fandango or Expedia type of site - i.e. defining the critical data assets
(cc data, booking details, etc) and critical flows - finding something,
making a booking, checking out, customer service).
The *Who* is not really answered. Who would undertake this task? In my
personal view, this is a security architect and pen tester, but developers
should be able to self-assess.
Other than that, I think it's a fine final draft that I would be proud of
if I had written it. Good work, fellas!
On Sat, Sep 1, 2012 at 1:40 PM, Jim Manico <jim.manico at owasp.org> wrote:
> What changes do we need to get this out of draft mode? Send us more
> feedback (off the leaders list) and we will address it.
> Jim Manico
> (808) 652-3805
> On Aug 31, 2012, at 6:39 PM, vanderaj vanderaj <vanderaj at owasp.org> wrote:
> Nice. I like it.
> How does it get out of draft? This is around beta quality in my view.
> On Tue, Aug 28, 2012 at 9:26 AM, Jim Manico <jim.manico at owasp.org> wrote:
>> Jim Bird was kind enough to author one of the first "attacker" cheat
>> sheets on attack surface analysis.
>> Comments are greatly appreciated!
>> Jim Manico
>> (808) 652-3805
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders