[Owasp-topten] OWASP Top 10 Simplified
owasp-topten at smithline.net
Sun May 27 17:14:05 EDT 2007
Sounds difficult but great. A word of advice (OK, a paragraph of
advice), and an offer for reviewing.
Before you get started, I think you should figure out what are the
maintenance plans for this new doc. Will it be kept in sync going
forward with the Wiki or the PDF version? If so, how often will updates
occur? Where will this document reside? What happens if a major mistake
(I guess unlikely but not impossible) or some other change takes place
in the current doc? Will it be reflected in the non-techie version (NTV
as compared to the official version (OV))? I think simple answers might
suffice here but you should probably figure it out before so you don't
run down any wrong paths and have to redo work.
As far as reviewing - I'm not exactly a non-techie but I'll be happy to
review it. I suspect I can still provide some feedback even though I'm
not your target audience. Also, once I see the document, I'll let you
know if I can think up any friends/coworkers I can stick with the
reviewing task. I have a graphic artist, a career manager (was never an
engineer) and a recruiter in mind. I'll discuss any of this with you
before distributing to ensure you keep control over preliminary versions.
PS: Good luck on an NTV version of XSS and XSRF. I can't tell you how
many bright engineers I run into who don't get those or who claim to
"get" them but say they are not vulnerabilities.
PPS: Be sure to add to the document lots of phrases like "Security is
hard, security people are smart, you should pay them more." Maybe as a
subliminal watermark or something.... ;-)
Daniel Cuthbert wrote:
> rewriting the new one, but using non-technical language
> On 27 May 2007, at 20:46, Neil Smithline wrote:
>> I'm not exactly clear what you are doing? Are you rewriting the
>> existing document, writing a new one, add a new section, adding a
>> supplement to the existing document?
>> Thanks - Neil
>> Daniel Cuthbert wrote:
>>> Afternoon all,
>>> Not sure if everyone is aware, but I am currently adapting the Top
>>> 10 so that it is more business friendly. The benefit of this is
>>> that the upper level of management will also be able to understand
>>> the implications and actions of not following the Top 10.
>>> I am currently about 40% though the translation process and aim to
>>> be finished in a few weeks,
>>> What I am looking for is a select number of people who are able to
>>> peer it, and they cannot be technical as I need a non-technical
>>> person to be able to understand it :0)
>>> Owasp-topten mailing list
>>> Owasp-topten at lists.owasp.org
More information about the Owasp-topten