[Owasp-leaders] Proposal for changing OWASP Documentation

Steven van der Baan steven.van.der.baan at owasp.org
Mon Feb 15 10:09:40 UTC 2016


I'm in favour of this as well. It would simplify to cross-reference
between the documents.
I would add projects like the Security Knowledge Framework into this as
it already contains a lot of coding examples.

Cheers,
Steven.

On 15/02/16 09:52, psiinon wrote:
> I'm all for this, but there again in most cases I'd probably be
> consuming this info rather than generating it ;)
> 
> We want to concentrate on making ZAP as good as we can, not
> copy-and-pasting docs from other OWASP projects.
> Theres loads of great content I'd like to include with ZAP if it was in
> the right format.
> 
> We can (and do) link to other projects, but there are many times when
> you want deeper integration.
> A couple of ZAP examples:
> 
> When you raise an alert manually ZAP gives you a pulldown of common
> vulns, and then fills out some boilerplate info if you select one of the
> options.
> Thats all taken from WASC as I couldnt fine a good OWASP alternative:
> https://github.com/zaproxy/zaproxy/blob/develop/src/lang/vulnerabilities.xml
> 
> I'd love to include a checklist in ZAP based on the testing guide - some
> of the checks could be automatically completed when you perform some ZAP
> actions, others would need to be manually completed by the tester, but
> all could include more info (still in ZAP) explaining what the tester
> needed to do.
> This was a student project but it didnt go anywhere :(
> 
> Cheers,
> 
> Simon
> 
> On Sun, Feb 14, 2016 at 8:30 PM, Gary Robinson <gary.robinson at owasp.org
> <mailto:gary.robinson at owasp.org>> wrote:
> 
>     Hi Folks,
> 
>      
> 
>     I want to reach out to the leaders and bring up the subject of OWASP
>     docs projects, in fact all OWASP documentation including wiki and
>     text available to our code projects as well.  I’ll try to keep this
>     e-mail brief so won’t get bogged in details, but generally I want to
>     know if the community experiences the same pains, see the same
>     opportunities, or has other suggestions for improvement.
> 
>      
> 
>     The issues that can arise from our current method of developing our
>     various docs include:
> 
> 
>      1. Draft content that exists in the wiki.  This may be in varying
>         states (correct, incorrect, lousy, confused, etc.) and is
>         visible to the internet and typically not clearly labelled as
>         draft.  Google ‘owasp purple monkey dishwasher’ for an example
>         of a draft wiki page visible to the internet.  This content also
>         needs to get cleaned up after a project release.
>      2. Substandard descriptions/content can get into our docs.  Getting
>         people to review every line/example/diagram/appendix is
>         difficult with a volunteer organization (as other threads have
>         discussed)
>      3. Duplications happen, as 10 different projects create/copy/paste
>         their definitions of topics such as XSS, SQLi, CSRF, etc.  This
>         wastes effort in an organization already constrained of active
>         volunteers.
>      4. Content gets out-of-date.  The work to create a new version of a
>         doc project takes years.
> 
>     I’m sure some readers will be mentally adding their own issues to
>     this list.
> 
>      
> 
>     Proposal:
> 
> 
>     Bringing together discussions with a few people over the last few
>     years (you know who you are), I’m proposing the following: we write
>     our docs with reusable resources.  What would this mean?  Something
>     similar to the following:
> 
> 
>      1. We dump all of the content from our wiki, current docs,
>         descriptions in code tools, etc.  We put it into markup (as some
>         projects are already doing) and add it to source code repositories.
>      2. We share doc markup files _across ALL docs and code projects_. 
>         For example, imagine we have a folder for SQLi.  This directory
>         contains the OWASP ‘golden source’ for SQLi definition,
>         examples, code, tests, etc.  Repeat for all other AppSec issues
>         (CSRF, cert pinning, etc.).  We use a mechanism to ‘compile’
>         these markdown files into PDFs and integrate into code project
>         HTML pages.
>      3. Similar to good coding projects, we control who can edit the
>         files under certain directories – people we know have expertise
>         in an area.  Edits get peer reviewed before submission.  Other
>         people can suggest edits and prove their experience to the
>         existing team to join it.
>      4. We allow anyone to ‘include’ this markup file into their
>         project.  So if the Code Review Guide wants to add a section on
>         SQLi, and needs a definition, I don’t write it (or copy from
>         wiki), I simply include the relevant markup file.  Same for
>         testing guide, dev guide, ZAP hints page, security shepherd info
>         page, cheetsheet, and on and on.
>      5. We allow all of our docs, plus the wiki, plus all code projects,
>         to dynamically use an markup file update.  We make this ‘real
>         time’.  This needs an example.  Say in March a massive change
>         occurs in the world of SQLi.  Right now any project that talks
>         about SQLi would need to manually go in and update, and those
>         updates will be of varying quality and content.  If, instead,
>         one (true) source file was update, all those other projects
>         could spot the change and automatically rebuild themselves,
>         meaning the next person to download a development guide PDF, or
>         view the wiki, would get the updated SQLi information.
>          1. This is a big change.  This may be a controversial
>             change.  _However it would greatly reduce our
>             workload_ (only one markup document needs to get updated). 
>             It will also _greatly reduce review tasks_, as everyone is
>             sharing core content which is reviewed once.  It also
>             improves our image to the world, as all projects have the
>             same great descriptions and content.
>          2.   This change also improves our responsiveness.  Imagine a
>             heartbleed type issue being reflected in all OWASP code and
>             documentation projects, as well as the wiki/cheetsheets,
>             within a few days?  (simply the time for the team to agree
>             updates to the text/examples/descriptions, review, and submit)
>      6.  We should also make these markup files available to anyone on
>         the internet (read only).  This way the source descriptions
>         become an OWASP resource it itself, and anyone out there needing
>         to spread the word on AppSec has easy access to rock solid,
>         up-to-date definitions.
> 
>     This changes the model, from people like myself who run ‘projects’,
>     to smaller expert teams who know ‘technologies’ (such as SQLi or IIS
>     secure configuration).  It focuses people where they want to be on
>     docs projects, but easily shares that knowledge across all OWASP
>     (and more) projects.  It also means there’d never be another need to
>     clean-up the wiki – it would always be based off the markup content.
> 
> 
>     *Big downside*: there’s a large piece of work to start it off.  All
>     content would need to get organized, put into sensible structure,
>     converted to markdown, argued over, ‘experts’ defined and assigned,
>     etc.  I doubt this would be a volunteer effort, and may need
>     contractor involvement.  Could this be combined with the OWASP wiki
>     redesign?
> 
> 
>     So… the ask from the community, what are your thoughts? Could this
>     be a viable option to save us time on docs/descriptions and increase
>     quality?  Would there be funds to perform the initial conversion of
>     everything into markup pages?  Would there be resistance to working
>     in this new model?
> 
> 
>     Gary
> 
> 
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> 
> 
> 
> -- 
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
> 
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 


More information about the OWASP-Leaders mailing list