

Ask HN: Good place to publish a security model - Yoric

Dear Aunt Irma,<p>We've been working for a few years now on a very nice web development platform with a considerable array of security defenses. It's now high time to document &#38; publish the security model. Any thoughts on <i>where</i> to do this? Project Blog? Academic Journal? OWASP Project Page? etc.<p>With coding love,<p>Yoric
======
tptacek
How are your security defenses different from those in OWASP's ESAPI project,
or (even simpler) in Rails?

Where you should publish depends on how interesting your contribution is.

Your contribution would need to be very interesting indeed to make it through
peer review. Given the odds, I probably wouldn't spend the time writing a
formal paper.

~~~
Yoric
Parts of the defenses implement the ESAPI project. But some address very
different attacks and/or application scenarios.

~~~
tptacek
OK... keep going...?

------
yid
I've been wondering the same thing. Journals are mostly out of the question
unless you've got time to spare. Conferences might be better if you've got
something novel that can get through peer review, _and_ have a few months to
spare.

Perhaps consider writing it up from a generic point of view, adding references
where necessary, and post a link on HN and security mailing lists? Or submit a
paper to arXiv?

~~~
Yoric
In this case, I believe that there's enough novel stuff to make it a
conference paper, but not the time to make it through peer review.

> Perhaps consider writing it up from a generic point of view, adding
> references where necessary, and post a link on HN and security mailing
> lists? Or submit a paper to arXiv?

I'll think about it, thanks.

~~~
tonyarkles
My experience with conference papers (albeit limited) is that it doesn't
actually take that much effort to make it through the peer review process, so
long as you've got something novel and interesting, and you've taken the time
to find the correct context for it (correct conference, correct related work,
etc).

