[Owasp-topten] Top 10 2007 Final uploaded

Andrew van der Stock vanderaj at owasp.org
Mon May 14 21:18:50 EDT 2007


Neil,

Once the text is uploaded, the Wiki will become the master. But read on...

Like it or not, the document master for generating the PDF will have to
remain the Word document. Word is like a power tool ­ occasionally it will
chop off a finger or lose you an eye if you don¹t pay attention. We¹d have
to stop using the web if you¹re worried about .doc format issues. There¹s
literally hundreds of XSS issues every week let alone all the other ones the
Top 10 talks about. Six issues in twelve months is nothing. It¹s irrelevant
if you¹re like me and keep things up to date. It¹s the difference of a good
carpenter who cleans and puts his tools away after a job and cleans up after
himself rather than just tossing them in the back of the truck and leaving a
terrible mess. Housekeeping comes with the territory of any sufficiently
large application, Open Office included. I don¹t care if you¹re into DeWalt
tools or Black & Decker tools ­ the key is the ability to use them and care
for them properly. 

I think we¹re all mature enough here to realize that dissing each other¹s
tools is a waste of time. All software has bugs.

http://www.securityfocus.com/bid/22812
http://www.securityfocus.com/bid/23067
http://www.securityfocus.com/bid/13092
http://www.securityfocus.com/bid/18737
http://www.securityfocus.com/bid/21618
http://www.securityfocus.com/bid/15756
http://www.securityfocus.com/bid/18738
http://www.securityfocus.com/bid/15259
http://www.securityfocus.com/bid/11151
http://www.securityfocus.com/bid/10385
http://www.securityfocus.com/bid/10136
http://www.securityfocus.com/bid/8794
http://www.securityfocus.com/bid/5950

We wouldn¹t be in this industry if that wasn¹t the case. I get immense value
out of my personal Microsoft Office licenses. I wouldn¹t trade them for a
lesser tool or a tool that makes me very inefficient ­ I have little enough
out of hours life as it is. If you like another tool that suits your work
flow better, more power to you.

When it¹s time for the next version, a proper word processor will be used as
there are no tools to create reasonable looking PDFs from the Wiki today
(feel free to make one). It would have been totally impossible for me to
manage the RC process without it being in Word. Word is a mature document
processing tool. It does what it does really well, far better than most of
you give it credit for. It¹s not my fault if many of you don¹t know how good
a tool Word really is. I used to use Framemaker in the day, and although
Word is not quite as good as that (yet), it¹s not far off. The reviewing and
managing very large documents like the Guide allow easy word processing ­
moving large chunks from A to B, editing and revising as I see fit.

However, in this instance, the Wiki is the best version for ­current as we
expect to have a number of minor edits at first and then a slow build up to
the next milestone where folks will have to conduct more research to see
what the lay of the land is.

I¹d like to see the PDF and Word versions remain available for the stable
products. I will be uploading our data set in Excel format as that allows
our interpretation of MITRE¹s data to be validated by others, a key
component of the scientific process. On Sourceforge, we had nearly equal
downloads for both formats, so forcing half our potential users to use a
format that doesn¹t suit them is silly. If someone wants to make an ODF
version, more power to them ­ and please make it available in the Wiki. The
idea of open source is not to take away choice but to enhance it.

But for our purposes, the Wiki will take over being master until it¹s time
to bring it together for another milestone release. I¹m happy for the Wiki
to say that, but the stable versions are standalone and they don¹t need to
say anything ­ they are what they are. They¹re there for folks like me who
can¹t make a copy of a multi-gigabyte Wiki to take on the road. I work in
environments (like today) where I am not allowed to use my laptop on the
customer¹s network, nor use the Internet easily. In such situations, good
looking paperless, searchable electronic documents must exist. That is the
role of the PDF and Word versions.

Thanks,
Andrew 


On 5/14/07 1:21 PM, "Neil Smithline" <owasp-topten at smithline.net> wrote:

> I have three reasons:
> * First, if we claim to have an "official" version of the document, then it
> really has to be read-only or every change has to be carefully monitored or
> filtered (Wikipedia does both of these for key pages). They too have made some
> pages non-editable due to problems with either malicious or just unwise users.
> We can have two downloadable versions I guess, the  "Official OWASP" one and
> the "User Updated" one and say that OWASP only endorses one.  My biggest
> concern with modification is that the document gets changed in such a way to
> perhaps give useless or even damaging advice.  Not only would that be horribly
> embarrassing for OWASP ("Web Site Dedicated to Web Security Needs to Look in
> The Mirror" sounds like a good headline to me), it might leave OWASP exposed
> for liability issues if some malicious advice is followed, reduces a site's
> security, and then the site is exploited through that reduction.
> * If we allow the Wiki, the Word/OpenDoc, and potentially the PDF version to
> be modified, how will we merge the documents.
> * Lastly, we have no proof that OpenDoc is any more secure than DOC. All we
> know is that there are fewer known vulnerabilities in it. That probably has to
> do with the relative popularity of the formats rather the actual secureness of
> the software to process it. Furthermore, the vulnerabilities tend to be in the
> readers and OpenDoc, being open, has multiple readers and hence more chance of
> vulnerabilities. (There is an article, written by what some consider a
> brilliant author :-), at
> http://www2.csoonline.com/exclusives/column.html?CID=32860 discussing the
> threat of vulnerabilities from data files.) If someone puts an infected
> OpenDoc file on the site, how would we even know? Eventually we would find out
> but it could have spread far and wide by then.
> One final thought, this doesn't need to be resolved in the next 24 hours. We
> can just put the Wiki and readonly PDF file up today and then add the other
> files yes.
> 
> - Neil
> 
> Calderon, Juan Carlos (GE, Corporate, consultant) wrote:
>>  
>> Not big deal but, why not publishing in PDF and OpendDocument format?
>> 
>> It could be a good idea to keep the 3 document formats used in OWASP
>> documentation open. WIKI for Web, PDF and OpenDocument for offline.
>> 
>> Just a small comment,
>> Juan Carlos Calderon
>> 
>> -----Original Message-----
>> From: owasp-topten-bounces at lists.owasp.org
>> [mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Neil
>> Smithline
>> Sent: Lunes, 14 de Mayo de 2007 06:42 a.m.
>> To: Andrew van der Stock
>> Cc: Sebastien Deleersnyder; maartenmestdagh at yahoo.com; HyungKeun Park;
>> Dave Wichers; Jeff Williams; dinis.cruz at owasp.net;
>> owasp-topten at lists.owasp.org
>> Subject: Re: [Owasp-topten] Top 10 2007 Final uploaded
>> 
>> 
>> 
>> Andrew van der Stock wrote:
>>   
>>  
>>>  
>>> Hi folks,
>>> 
>>> The final of the OWASP Top 10 is now ready and has been uploaded to
>>> the Wiki. The PDF/Word documents are public as of now, but please hold
>>>     
>>>  
>>  
>> 
>>   
>>  
>>>  
>>> off making major public noises until Tuesday Italy time as that's when
>>>     
>>>  
>>  
>> 
>>   
>>  
>>>  
>>> it will be publicly announced. Feel free to let your friends and
>>> colleagues know about it - there has to be an advantage to working on
>>> an open source project, and this is it! :)
>>>   
>>>     
>>>  
>>  
>> I think over the weekend we had decided that we were going to not have
>> the .DOC on the website to both discourage changes to the "official
>> version" as well as tidiness (largely to my revulsion of all the
>> zero-day vulnerabilities in .DOC file - I think there has been about 6
>> in the last 12 months) Are you agreeing with that or disagreeing? We
>> also discussed making the PDF (and potentially DOC if we keep it up)
>> read-only.
>> 
>> One thought, do we need a legal disclaimer on this doc? Something like
>> "Use as-is, even if all suggestions taken web sites are inherently
>> vulnerability and we ain't responsible." Not sure. I'm no legal dude and
>> if we ask an attorney they'll always say yes. Just thought I'd raise the
>> point.
>>   
>>  
>>>  
>>> The Board will be sending out a press release on Tuesday, so please
>>> avoid sending anything to the major web sites (eg Digg / Slashdot)
>>> without talking to us first.
>>> 
>>> Neil and translators: The redline between RC2 and Final is here:
>>> 
>>> http://www.owasp.org/images/f/f4/OWASP_Top_10_RC2_to_Final_redline.doc
>>> 
>>> Once you have a copy, I'd like to delete it as it's not necessary for
>>> the public to see that version.
>>>   
>>>     
>>>  
>>  
>> Got a copy.
>>   
>>  
>>>  
>>> Thanks to Neil for taking his entire weekend to Wiki-fy the Top 10.
>>> Neil, in response to your e-mails, I've added the authors and also
>>> re-ordered the helpers a bit to better reflect their "helperness". Can
>>>     
>>>  
>>  
>> 
>>   
>>  
>>>  
>>> you re-order the credits on the main page to be the same? Your effort
>>> is at least the same as Sylans', so feel free to figure out where you
>>> should be in relation to Sylvan's credit.
>>>   
>>>     
>>>  
>>  
>> Leaving me the option of reording my credits - Hmm... I'll have to look
>> to the sage of all things wise and ask myself "What would Homer Simpson
>> do here?" Perhaps I'll need a title such as "Uber-Major Project
>> Organizer and Director of This Security Thingy" ;-)
>> 
>> Seriously - giving me options as to how to credit myself is less fun
>> than a root canal by a dental student who just ran out of novocaine and
>> has the nitrous oxide mask on his face instead of mine. I'll put myself
>> on line with Sylvan and avoid using words like "brilliantly and
>> efficiently completed a thankless and horrifically painful task" when
>> describing my work.
>> 
>> Unless I run into problems, I should have the Wiki completely updated by
>> end-of-the-day - let's say midnite my time (or perhaps midnite in
>> California or better yet Alaska :-). I've told my boss I'm officially
>> off-duty today so I'll just crank through it once I'm done with the
>> kid/daddy stuff. I spent a lot of time on the script and it does pretty
>> much everything we need. There's only a bit of hand-editing that needs
>> to happen.
>> 
>> I'm sorry I got involved so late, it's been fun and, assuming nobody
>> minds, I'm planning on making incremental changes to the Wiki format as
>> time goes on. There are a couple of things that I'm unhappy with.
>> 
>> Thanks for letting me help (not that anyone turns down help on an
>> open-source project, no matter how functional they are) - Neil
>>   
>>  
>>>  
>>> As to your other e-mails: It's my view that the next release, Top 10
>>> 2008, will branch off the Wiki version, rather than me holding on to
>>> the Word master. I don't want to be the road block for the 2008
>>> edition as I move back onto working on the Guide. My view is that
>>> we'll keep the Top 10 doc / docx / PDF versions stable, and update the
>>>     
>>>  
>>  
>> 
>>   
>>  
>>>  
>>> Wiki versions as the master as of now, creating milestone releases in
>>> Word / PDF version as necessary, say once every 12 months.
>>> 
>>> Thanks to everyone who contributed to this release - you have helped
>>> improve a key OWASP deliverable which is used by millions globally.
>>> 
>>> Thanks,
>>> Andrew
>>> 
>>> 
>>> 
>>> 
>>>   
>>>     
>>>  
>>  
>> _______________________________________________
>> Owasp-topten mailing list
>> Owasp-topten at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-topten
>> 
>>   
> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-topten/attachments/20070514/df003550/attachment-0001.html 


More information about the Owasp-topten mailing list