[Owasp-testing] Fwd: [Owasp-leaders] Fwd: Testing Guide 3 dot OH!

Daniel Cuthbert daniel.cuthbert at owasp.org
Sat May 19 21:04:35 EDT 2007


Actually letting Mat carry this is easier

over to you



Begin forwarded message:

> From: "Matteo Meucci" <matteo.meucci at gmail.com>
> Date: 19 May 2007 23:46:52 GMT+07:00
> To: "Daniel Cuthbert" <daniel.cuthbert at owasp.org>
> Subject: Re: [Owasp-leaders] Fwd: [Owasp-testing] Testing Guide 3  
> dot OH!
>
> Hi Dan,
> I don't understand...why don't you talk directly to me?
> I won Aoc last October 2006 to create the new OWASP Testing Guide and
> from 2007 I was elected by the OWASP Board as the lead of the
> project...do you remember?
>
> BTW, I presented the new OWASP Testing at our OWASP Conference and I
> explain which are our new goals. I agree with Andrew, we have to align
> the two projects.
>
> I write directly to you because I think this is not the right way to
> collaborate. I'd really be grateful if you would send an email to the
> list just to clarify the situation, otherwise I'll do that.
>
> Thank you,
> Mat
>
>
>
>
> On 5/19/07, Daniel Cuthbert <daniel.cuthbert at owasp.org> wrote:
>> I guess this is me saying i'm happy to take over with 3.0 of the
>> guide, It will tie in nicely with my simplification project theme
>>
>>
>>
>> Begin forwarded message:
>>
>> > From: Andrew van der Stock <vanderaj at owasp.org>
>> > Date: 19 May 2007 01:55:46 GMT+07:00
>> > To: owasp-testing <owasp-testing at lists.owasp.org>, OWASP Guide
>> > <owasp-guide at lists.owasp.org>
>> > Subject: Re: [Owasp-testing] Testing Guide 3 dot OH!
>> >
>> > Hi folks,
>> >
>> > I'm about to get going on the OWASP Guide 3.0 – I've sent a message
>> > a few weeks ago and have a few volunteers. For the next version,
>> > I'd like to have parity in both, and to do that is a bit of work.
>> > One of the things to help progress is to set a date. I propose the
>> > following schedule:
>> >
>> > OWASP US Conference is October this year. Gives us six months
>> > OWASP EU Conference is May next year. Gives us twelve months
>> >
>> > I think we can have a 2.5 edition by October, and a 3.0 by next
>> > year. What do folks think? I personally do not have the time I once
>> > did, so basically I'd prefer the 12 month schedule and get things
>> > right the first time.
>> >
>> > There's a lot of testing material in the OWASP Guide, which I would
>> > like to selectively dump into the Testing Guide. This will give you
>> > feature parity with the Guide, and in turn, I need to pick up a few
>> > of the things in the Testing Guide for the Guide.
>> >
>> > In the Testing Guide 3.0, please make room for an authorization
>> > section. This was missed (how?) in 2.0. The basics will include a
>> > few things in already in the Testing Guide 2.0, and a few things
>> > from the OWASP Guide, but will at the very least encompass:
>> >
>> > Complete mediation – everything is access controlled
>> > Forced Browsing. We're settling on this term as WASC are also
>> > starting to use it. This is where a pre-constructed request (GET,
>> > POST, whatever) is sent to the browser and it works. This is
>> > typical of hidden / optional links and buttons common in most  
>> programs
>> > CSRF
>> > Course grained authorization - isAuthenticated(), which is
>> > typically all products like SiteMinder and WebSeal tell you unless
>> > you start using their advanced features. This is insufficient
>> > Medium grained authorization (isUserInRole()). Could be considered
>> > business logic access control
>> > Fine grained authorization (is the current secured resource record
>> > or current secured function sub-feature OK for the current user).
>> > Could be considered data layer access control.
>> > Architecture to incorporate authZ checks at the client,
>> > presentation, business and data layers. This is important with Ajax
>> > applications (I've seen this issue this very week. I can't go into
>> > details, but it is end of application class of attack).
>> >
>> > Dave Wichers wants all the Guides to be in what I call "SFA"
>> > format. When I complete the injection chapter, I'll demonstrate
>> > what needs to happen here. Luckily, your content is closer to this
>> > format than the Guide. However, SFA favors Wiki than documents. For
>> > many, the Wiki is the way to go, and I agree ... When you're
>> > online. But many folks like it being in printed form and that also
>> > helps when you're doing a review where you're not allowed to use
>> > your own computer or the Internet.
>> >
>> > Dinis and myself are looking for a decent publisher now. I've set a
>> > few minimum standards to ensure that OWASP materials in published
>> > form do not lose us our copyright and gain us maximum funds whilst
>> > allowing us to keep the Wiki / PDF versions around for free. Most
>> > publishers will not touch this and therefore, we need to choose
>> > from the remaining publishers carefully.
>> >
>> > Thanks,
>> > Andrew
>> >>
>> >
>> > _______________________________________________
>> > Owasp-testing mailing list
>> > Owasp-testing at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-testing
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
> -- 
> Matteo Meucci
> OWASP-Italy Chair, CISSP, CISA
> http://www.owasp.org/index.php/Italy
> OWASP Testing Guide lead
> http://www.owasp.org/index.php/Testing_Guide



More information about the Owasp-testing mailing list