[Owasp-topten] OWASP Top 10 Simplified
daniel.cuthbert at owasp.org
Mon May 28 02:44:54 EDT 2007
On 28 May 2007, at 04:14, Neil Smithline wrote:
> Sounds difficult but great. A word of advice (OK, a paragraph of
> advice), and an offer for reviewing.
Yes this isn't the easiest of projects but something we should have
done a long time ago. Technical documents assume far too much these
days and they alienate the majority of readers
> Before you get started, I think you should figure out what are the
> maintenance plans for this new doc. Will it be kept in sync going
> forward with the Wiki or the PDF version?
Will be kept in sync on both the Wiki and the PDF
> If so, how often will updates occur?
Only when the main top 10 changes
> Where will this document reside?
Good point, the best thing about both documents is that they are
widely used, so I expect a large amount of feedback as the document
is used by non-technical people.
> What happens if a major mistake (I guess unlikely but not
> impossible) or some other change takes place in the current doc?
> Will it be reflected in the non-techie version (NTV as compared to
> the official version (OV))? I think simple answers might suffice
> here but you should probably figure it out before so you don't run
> down any wrong paths and have to redo work.
> As far as reviewing - I'm not exactly a non-techie but I'll be
> happy to review it. I suspect I can still provide some feedback
> even though I'm not your target audience. Also, once I see the
> document, I'll let you know if I can think up any friends/coworkers
> I can stick with the reviewing task. I have a graphic artist, a
> career manager (was never an engineer) and a recruiter in mind.
> I'll discuss any of this with you before distributing to ensure you
> keep control over preliminary versions.
Brilliant, these are all perfect audiences to review this document
> - Neil
> PS: Good luck on an NTV version of XSS and XSRF. I can't tell you
> how many bright engineers I run into who don't get those or who
> claim to "get" them but say they are not vulnerabilities.
This is why I wanted this document to be done, so many people say
they understand but in reality they don't. Another thing I found when
speaking to upper level management is that they feel embarrassed to
ask what certain parts of technical documents mean, so they often
play along and pretend they know. This is not part of my way of doing
things, hence me pushing this doc.
> PPS: Be sure to add to the document lots of phrases like "Security
> is hard, security people are smart, you should pay them more."
> Maybe as a subliminal watermark or something.... ;-)
It's already been littered with "If you like this, buy Daniel a
Hasselblad or Leica!!)
> Daniel Cuthbert wrote:
>> rewriting the new one, but using non-technical language
>> On 27 May 2007, at 20:46, Neil Smithline wrote:
>>> I'm not exactly clear what you are doing? Are you rewriting the
>>> existing document, writing a new one, add a new section, adding a
>>> supplement to the existing document?
>>> Thanks - Neil
>>> Daniel Cuthbert wrote:
>>>> Afternoon all,
>>>> Not sure if everyone is aware, but I am currently adapting the
>>>> Top 10 so that it is more business friendly. The benefit of
>>>> this is that the upper level of management will also be able to
>>>> understand the implications and actions of not following the
>>>> Top 10.
>>>> I am currently about 40% though the translation process and aim
>>>> to be finished in a few weeks,
>>>> What I am looking for is a select number of people who are able
>>>> to peer it, and they cannot be technical as I need a non-
>>>> technical person to be able to understand it :0)
>>>> Owasp-topten mailing list
>>>> Owasp-topten at lists.owasp.org
More information about the Owasp-topten