Playbooks Common Format
Back to list of all Outcomes
Original Working Session content: Playbooks Common Format
Introduction and Purpose
The goal of an OWASP Playbook is to provide an actionable, consistent process for working with various application security scenarios. Most security playbooks address what to do when something happens to you (e.g., respond to an incident), but an OWASP Playbook addresses what to do when you want to do something (e.g., pen test an application). Throughout the OWASP Summit (and hopefully into the future), playbooks will be created to address various scenarios. With this in mind, the Playbook Common Format working session focused on devising and agreeing a framework that will be common to all OWASP Playbooks.
The Playbook Common Format working session group reviewed a template worksheet designed to help other Playbook working sessions structure their thinking. We defined a process we recommend to other Playbook working groups. We then defined six general categories of content that should be included in an OWASP Playbook so that readers of the series know what to expect from it. We hope that other Playbook working sessions (as well as future Playbook authors) find this information useful.
Playbook Working Session process
To have an effective working session that generates meaningful and collaborative content, we recommend the following process for Summit working sessions:
- Explain the OWASP Playbook concept to participants.
- Collaboratively define the scope of the session including defining the scenario(s), audience(s), and characteristics. Time is limited so we suggest narrowly defining the scope of an initial scenario so that the playbook can be as actionable as possible.
- Ensure that there are no playbooks already in existence and more suited to the scenario(s). Redefine the target scenario(s) if appropriate.
- Distribute the OWASP Playbook Working Session Worksheet to the participants and ask them to draft an initial set of steps to structure and capture their thoughts.
- Ask participants to share their worksheet with the group
- Identify and distill the common threads of the process and document them in a process workflow diagram
- With the process defined, break into five smaller groups and assign each group to discuss the remaining content items:
- Cost-benefit analysis
- Quick wins
- Success criteria & metrics
- Improvement opportunities (given the perspective of the agreed process)
1. Domain & Scope
What does an OWASP Playbook provide to the reader? This content defines the domain (e.g., bug bounty, pen test) and clearly communicates the scenario (“the something”) to which the playbook applies. Any particular domain can have multiple scenarios, but each scenario should be encapsulated in separate playbooks as OWASP Playbooks are intended to be actionable. There are many perspectives from which scenarios can be viewed, including the following:
- The entity wanting an action to be taken
- The entity that executes the action
- The entity that uses the result of the action
- Proactive (taking action because of a choice)
- Reactive (taking action because of an event)
What must the reader already have in place for the action in question? These could include organisational funding, processes, or technical requirements. The ‘prerequisites’ content will help the reader decide whether they are ready for the action. An OWASP Playbook should enumerate what is needed for the action.
3. Cost-Benefit Analysis
Should the reader even consider taking this specific action? Generally speaking, this content presumes that the entity wants the action to take place. However, it may not be a prudent action. Perhaps the action is too costly or does not provide the desired outcome. As a result, the entity should perform a cost-benefit analysis. This content will help the reader determine whether their chosen action is appropriate. An OWASP Playbook should provide guidance on various criteria to help the reader measure both the cost of the action and its benefit.
4. The Process
How should the reader approach the action? The steps should provide a detailed action plan for the reader. Note that process steps are unique to a scenario and audience. This content will give the reader enough information to make their action happen. For the person who wants the action done, this information might cover steps to engage a service provider (internal or external). For the person who executes the action, the information might cover the steps to perform the action. For whoever needs to use the result of the action, the information might provide the steps for interpreting the action. An OWASP Playbook should provide the necessary steps for the reader to achieve their desired outcome for their chosen action.
5. Quick Wins
What if the reader can’t do everything in the process? Perhaps there is a limit on time, budget, or other resources. This content will give the reader a short list of actions to improve the situation. The list may be a prioritised set of steps or it could suggest weaker alternatives to the process. The goal is to provide some “quick wins” related to the action that the reader can perform. An OWASP Playbook should provide a short list of high-value, low-effort “quick wins” for the reader.
6. Success Criteria & Metrics
How does the reader know they’ve achieved success? Success could simply be completing the process. More likely, there are some metrics that can be used to determine that the process was done well. This content will give the reader suggested criteria and metrics to determine that the outcome of the action was a success. An OWASP Playbook should provide suggested metrics and criteria to determine that the process was executed well.
7. Improvement Opportunities
What can the reader do next? Perhaps they are interested in scaling or automating the action. Or maybe they would like to improve their maturity on the security scale. This content will give the reader more information about next steps. An OWASP Playbook should provide suggested improvements for both a chosen action and for related actions that the reader should consider.
Back to list of all Outcomes
Edit this page here