This is a placeholder issue relating to the refactor of the access control chapter. Please place all notes, reviews, defects, etc relating to the access control chapter in here. When the chapter is ready for peer review and graphics, please close this issue.

I and others like me might take a stab at writing certain chunks of chapters, if not the whole thing, if a chapter outline were available.

Trying to use xsltproc to create a .fo fop file that can be processed into a PDF fails.

Please make the DevGuide XML build using modern DocBook 5 so it can be easily rendered on modern Linux.

This chapter should concentrate on pulling material from the existing Guide, but concentrating on the controls that should be put in place instead of 2000 era controls.

Starting with policies (see ISO 27002:2013) and data (asset) classification.
Encrypting personal and sensitive information
Hashing passwords and credentials (bcrypt, SHA-256, salting, etc)Protecting data queries (i.e. parameterized queries, ORMs, data bindings)
Protecting operating system commands
Protecting LDAP queries
Protecting XML / XSLT / XPath queries
Protecting configuration secrets
Protecting personal and sensitive information in e-mails
Protecting sensitive inforamtion in memory
Protecting sensitive information in transit (should link to the Crypto chapter)
Storing sensitive information on disk

Unit tests

• SQL injection tests
• OS command tests
• LDAP injection tests
• etc

Integration testing

• Testing mobile apps for clear text .plist and preferences
• Testing configuration files for secrets

This chapter needs to cross-reference and be in tune with the crypto chapter.

Currently, the Milestone 1 chapters reside as pages.

To more fully use the power of Git, may I create a 2014 development branch so people can fork the project?

In that branch would be empty Milestone 1 markdown documents.
I would also fix all the linking to the documents on all pages I have access to.

Even on the OWASP and GitHub wikis there are two different patterns to use.

Has the project decided on one particular choice?

Got a couple offers to translate-- which is great. But, there isn't a way to assist those helpful individuals.

Instead of managing it in this repo, possibly take a cue from the John Papa AngularJS Style Guide https://github.com/johnpapa/angular-styleguide/tree/master/a1/i18n . It seems like a very manageable way to attribute work and allow the translators freedom to help when, at the very least, my translation skills to verify are highly insufficient.

I have pull requested a possible solution. @vdbaan please review at your convenience and merge if acceptable.

I realize you are doing other things now, but do you have any thoughts to add @vanderaj ?

On to sorting the cryptography pull request...

Hey Andrew, shouldn't the content pages (like https://github.com/OWASP/DevGuide/wiki/Session-Management) be at the https://github.com/OWASP/DevGuide/tree/master/DevGuide3.0

In fact, wouldn't it be better if the multiple versions where in branches? (https://github.com/OWASP/DevGuide/branches), instead of in folders (https://github.com/OWASP/DevGuide)

Chris Young is assigned. Need to add him to this issue.

Please refactor the accountability chapter. Any questions or updates, please use this or e-mail me directly if logging an update here fails.

This is an epic placeholder for Authentication refactors. Please place all defects, reviews, etc, in this issue.

It might be possible to spend an hour or two and port the original XML DevGuide to OpenSuse's Daps DocBook easy build system. I tried doing it and it had a number of errors relating to validation, which is almost certainly due to the age of the DocBook XSD used by the old DevGuide.

If someone wants a short and sweet but ultimately useless project except for historical archiving purposes, they could port the DocBook book to a Daps book.

Via drag (from your device/PC) and drop (to GitHub Issues, i.e. here) you can upload to GitHub.

Once it is in the issue, you can view the image resource or page source to see where GitHub is storing it.

Hi there! SOrry to communicate like this but it was the way I found to reach you directly.
I have seen your post a year ago in stackexchange, https://stats.stackexchange.com/questions/221511/false-positives-in-cosine-similarity, about false positives in TF-IDF cosine.

I have been getting the same results as you did. I have almost non false negatives and the false positives occur, as you said, because some texts share the right "keywords" between each other.
Can you share with me the way you solved this problem?

Thanks in advance!

Is recovery a part of security?

In an extension to the principles of security mentioned In foundations - Security fundamentals. Should 'recovery' come into the scope of security?

The three principles that exist are all valid, and act to prevent damage to a website. However; when a compromise occurs, the ability to recover to a secure state quickly and effectively is an important component. It is commonly performed as part of many web teams role, however perhaps under the heading of 'maintenance'.

In the triad 'recovery' might fit as part of availability, and also part of integrity.

I was pissed for a week because I was too lazy to open the file in raw format or look at the guts.

Then I took the initiative. So, if you change the .doc extension to .docx on the files you are having trouble with, then many of them will open.

I have never been able to open the main document and have the subordinate documents load. Meh...

Nothing to be done about this, just a FYI.

It is great you are working on refactoring and making the project more accessible to developers. I am new to web development and the OWASP Guide was recommended for learning security considerations. Sadly your new guide is not yet available and someone like me who needs to get started now will have to work with an older version.

The owasp.org page for the guide simply links here for download. Though, once I am here it is not easy to tell what I should be download to just read the guide.

It would be great if the main page (the root README.md) gave some direction for people wanting to know what to read. I eventually figured it out by finding the README.md files in sub-folders.

Some time ago I created an org for OWASP on GitBook: https://www.gitbook.com/@owasp

If you'd like to publish the DevGuide over there officially, please let me know so I can give access rights to the owner(s) of this GitHub-repo.

it's a cool idea, force the order using only number, but we are underground. so...

0x01 - Introduction.md
(...)

On the book summary, the menu item pointing to (00-Introduction/01-About the Development Guide.md) should say About the Development Guide and not About the Development Guild as it currently does.

Please refactor the input validation and output encoding chapters.

There's a very good chance that these two closely related topics should be split into independent chapters. I'm okay with that.

Please make sure that Ajax, DOM, and JSON are talked about in the revised version. Please talk to Jim Manico about best practices in this area.

When you have finished the first draft and closed out all defects and review notes in this placeholder, please close this issue as it let's us know when the milestone is done.

Hi Kevin

Can you please have a look at the Crypto chapter. I've formatted it with Mark Down, so it's now much easier to edit.

thanks
Andrew

This would allow the guide to be more accessible to everyone as PDF is easier to consume -- it is also probably one of the more easily accomplished things via scripting.

If no one beats me to it, I will likely do this after all chapters are at least populated with basic information.

It is far harder to write solid code than to destroy it. Necessarily, this book contains a great deal of information. Not every application will require every control, and thus it is necessary to...?

Luke,

I'll spend a bit of time looking over the changes in the next few days and let's make a time to go over the structure and content via a Hangout.

When is good for you? I'm mostly free 8 pm - midnight most nights Australian Eastern Time (UTC+10).