OWASP Guide 2013 Development

It’s been nearly seven years since I finished the herculean effort of holding down a day job and leading, editing or excising the existing material, cat herding all the collaborators, and writing a goodly portion of the OWASP Developer Guide 2.0.

I finished PDFing 2.0 around 4.30 am and pushing it to the OWASP website. I was rush packing for BlackHat as my plane was due to depart at 11 am. I checked my mail as I was shutting down my home lab, and got a last minute set of edits from Michael Howard on the crypto chapter (which is definitely not my strong suit). So I fired up Word again, made the changes, and issued 2.0.1 in Word and PDF format pretty much just as I had to walk out the door to catch the plane.

That was the last time the Guide was formally issued.

It’s time to pick up the whip, and dip the pen in the inkwell (well, TextMate this time – we are working in Wiki format at Google Code).

I plan to write at least one blog entry a week to describe how we are going. I am determined this time to not write > 80% of the content. I simply don’t have the time, and honestly, if we’re going to do this before 2.0 can vote, I really need helpers.

The first steps have been put into place:

  • Put out a mail to the Guide mail list asking if I can take over
  • Got a bunch of public and private e-mails saying yes, plus most pleasing to me of all – offers of help!
  • Got an e-mail from Vishal Garg, the previous leader – 1, saying that he had actually stood down last year (!)
  • Got an e-mail from Abraham Kang, the previous leader, saying that he would be happy to co-lead with me (awesome!)
  • Asked the Global Projects Committee to assign the project to me, along with a PM. I’ve not heard back from them, but at this stage, I’m happy to do first, apologise later.

Current status

I’ve been reading the current materials out of the SVN repo. Oh wow. So much work to do. My plan is to use a few hours each day to write a precis of what I have in mind for each section, and then farm out the work to all those who volunteered.

I have to make a few basic executive decisions. These help get the project re-oriented in the right way, so as to encourage lateral thinking about some of the hardest topics in our industry. I need the Guide to lead the charge against group think that XSS or SQL injection is insolvable, or that (weak) passwords will be with us forever. Other decisions are just necessary for logistical reasons. I will try to make as few unilateral decisions as possible.

First executive decision: We cannot possibly know what will be the new hotness.

Developers are a creative and fickle bunch. Business would love us to code everything in COBOL or VB … or Java, but that’s not how the game is played. Freaking awesome developers (the taste makers) choose new and interesting things to them at least once or twice a year or more. A pool of talent builds behind the cooler / better marketed languages / frameworks. Not knowing what will be the next new hotness is my only real assumption whilst we develop the new version of the Guide. 

During Guide 2.0 development, classic ASP was winning the battle over ASP.NET, PHP was very popular and very insecure, and J2EE was just starting the process of moving from Struts 1.x to Spring, modulo a dead end or two (JSR-168 comes to mind). Ruby on Rails was a brand new plaything with a few fervent supporters. How times have changed.

What hasn’t changed are the underlying principles of web application security. I don’t care if you are writing in technologies like Ajax, GWT, Ruby on Rails, Haskell, or you’ve moved to a web flow type model – we know what works and what doesn’t, and to a large extent, it’s in the existing Guide 2.0.

So I want to move the Guide up a level to be a hybrid architecture / detailed design guide, rather than an implementation guide, a set of repeatable architectural / design patterns that are easily adaptable and applicable cross-language, cross-framework, and be aware of new fads that come and go without knowing exactly what they are.

Second Executive Decision: Diagrams must not suck

The Guide has always needed a lot more diagrams than it has. The diagrams I drew back in 2004 and 2005 … suck. I have the originals here, but honestly, I don’t feel we should re-use them.

I will be approaching the Projects committee to find us a good graphic designer to give a cohesive design language for us to do the diagrams in, or simply farm out our hand drawn diagrams to someone who can do them all in the one style in a way that looks good in the Wiki, Word, iPad and PDF versions of the Guide.

In the meantime, I will hand draw and photograph the diagrams I have in mind and include them in the wiki as markup. That way, we’re not spending hours in a diagramming tool when we really need to be writing at this stage.

Third executive decision: Distributed computing

In 2005, the problem of race conditions in web apps was only really in J2EE web apps that did the very wrong but very arcane things. I had planned for 2.0 (and then 2.1) to include a distributed computing chapter that discussed race conditions, but it’s time to include a detailed discussion on asynchronous, distributed computing: i.e. cloud computing.

Not only do we need to take into account the many threads / cores of a typical processor today, thus meaning that any server worth its salt will have multi-threading issues, there are parallel languages (F# with the parallel extensions to .NET, and Go for two), and there is Ajax and all the multitude of frameworks that support asynchrony. I don’t want to forget the oldest of them all – batch and background processes that can still produce surprising results.

So its time to bring this bunch of issues to the forefront, because the cloud genie is out of the bottle, Ajax is well and truly plastered all over the Internet, and if there’s ever a new single core CPU running a new single threaded OS ever again, I’d be immensely surprised.

Where to from here?

It’s time to gather the offers for support and start to build a road map, and build consensus on where we should be going. In my view, we need to and indeed must lead the industry by at least two-three years to be relevant on day one of our launch. 2.0 was ahead of its time, but only just, and in the last seven years, my lack of foresight / bravery in targeting the absolutely crazy bleeding edge meant irrelevance by 2008 at the latest.

If you want to help, please join the mail list and please offer your services. It’s time to get OWASP Developer Guide 2013 going again.

Published by vanderaj

Just another security geek

Leave a comment

Your email address will not be published. Required fields are marked *