[GPC] ModSecurity Core Rule Set Project Status

Wed Nov 25 14:46:17 EST 2009

Ivan,

I thank you for keeping us updated. We will be waiting for your notes.

Regards,

Paulo Coimbra,
OWASP Project Manager

> >-----Original Message-----
> >From: Ivan Ristic [mailto:ivanr at webkreator.com]
> >Sent: quarta-feira, 25 de Novembro de 2009 19:42
> >To: paulo.coimbra at owasp.org
> >Cc: 'Ryan Barnett'; 'Global Projects Committee'; 'Leonardo Cavallari
> >Militelli'; ivan.ristic at breach.com
> >Subject: Re: ModSecurity Core Rule Set Project Status
> >
> >Just FYI, I have finished my review, but I will only be able to
> >compile
> >my notes next week.
> >
> >BTW, I no longer receive email sent to ivan.ristic at breach.com.
> >
> >Ivan
> >
> >Paulo Coimbra wrote:
> >> Hello Ryan,
> >>
> >>
> >>
> >> I thank your swift answer.
> >>
> >>
> >>
> >> I’ve added the reviewers’ names at the assessment page
> >>
> >http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Se
> >t_Project_-_ModSecurity_2.0.3_-_Assessment.
> >>
> >>
> >>
> >> Please do not hesitate and get back to me if you think I can be of
> >any help.
> >>
> >>
> >>
> >> Best regards,
> >>
> >>
> >>
> >> Paulo Coimbra,
> >>
> >> OWASP Project Manager <https://www.owasp.org/index.php/Main_Page>
> >>
> >>
> >>
> >> *From:* Ryan Barnett [mailto:ryan.barnett at breach.com]
> >> *Sent:* terça-feira, 24 de Novembro de 2009 18:36
> >> *To:* paulo.coimbra at owasp.org
> >> *Cc:* 'Global Projects Committee'; 'Leonardo Cavallari Militelli'
> >> *Subject:* Re: ModSecurity Core Rule Set Project Status
> >>
> >>
> >>
> >> Thanks for getting back to me and thank you Leonardo for offering to
> >> help. I did get confirmation from Ivan Ristic that he would be teh
> >1st
> >> reviewer however he won't be able to start for a few more weeks.
> >>
> >> I will get some more stuff updated and after I work with Ivan, I
> >will
> >> notify Leonardo to begin his review.
> >>
> >> Thanks again.
> >>
> >> Ryan Barnett
> >>
> >> Director of Application Security Research
> >>
> >> Phone: (703) 794-2248
> >>
> >> Cell: (703) 269-8998
> >>
> >> Breach Security, Inc.
> >>
> >> 2141 Palomar Airport Road, Suite 200
> >>
> >> Carlsbad, CA 92011
> >>
> >> www.breach.com <http://www.breach.com/>
> >>
> >>
> >> On Tuesday 24 November 2009 01:22:52 pm Paulo Coimbra wrote:
> >>
> >>> Hello Ryan,
> >>
> >>>
> >>
> >>> The GPC has allocated one of its members to act as ModSecurity’s
> >reviewer.
> >>
> >>> Leonardo Cavallari Militelli
> >>
> >>> http://www.owasp.org/index.php/User:Leocavallari is the GPC member
> >that
> >>
> >>> has volunteered to assume the task.
> >>
> >>>
> >>
> >>> Have you already decided about the first reviewer? Are still
> >thinking in
> >>
> >>> inviting either Ivan Ristic or Ofer Shezaf? Have you also seen the
> >email
> >>
> >>> in which Marc Chisinevski showed is willingness to assume the task?
> >>
> >>>
> >>
> >>> Please drop me a line and let me know how you want to proceed.
> >>
> >>>
> >>
> >>> Many thanks, best regards,
> >>
> >>>
> >>
> >>> Paulo Coimbra,
> >>
> >>> OWASP Project Manager<https://www.owasp.org/index.php/Main_Page>
> >>
> >>>
> >>
> >>> From: Paulo Coimbra [mailto:paulo.coimbra at owasp.org]
> >>
> >>> Sent: quinta-feira, 12 de Novembro de 2009 18:20
> >>
> >>> To: 'Ryan Barnett'
> >>
> >>> Cc: 'Global Projects Committee'
> >>
> >>> Subject: RE: ModSecurity Core Rule Set Project Status
> >>
> >>>
> >>
> >>> Hello Ryan,
> >>
> >>>
> >>
> >>> The missing release wiki page has already been set up
> >>
> >>>
> >http://www.owasp.org/index.php/OWASP_ModSecurity_Core_Rule_Set_Project
> >_-_M
> >>
> >>> odSecurity_2.0.3. Please check it out and feel free to change it as
> >you
> >>
> >>> find best.
> >>
> >>>
> >>
> >>> In my perspective, right now, before the beginning of the
> >assessment
> >>
> >>> process, we only have a couple of issues to sort:
> >>
> >>>
> >>
> >>>
> >>
> >>> 1. Project Pamphlet
> >>
> >>> http://globalprojectscommittee.wordpress.com/2009/07/21/what-is-
> >this-proje
> >>
> >>> ct-flyerpamphlet-thing/,
> >>
> >>>
> >>
> >>> 2. Brian Rectanus’s wiki account
> >>
> >>>
> >>
> >>> 3. Project Roadmap
> >>
> >>>
> >http://globalprojectscommittee.wordpress.com/2009/09/28/clarification-
> >of-r
> >>
> >>> equirements-for-assessment-crirteria-v2/
> >>
> >>>
> >>
> >>> 4. First reviewer,
> >>
> >>>
> >>
> >>> 5. Second reviewer,
> >>
> >>>
> >>
> >>> 6. Release Flyer/Pamphlet,
> >>
> >>>
> >>
> >>> 7. Release Notes.
> >>
> >>>
> >>
> >>> Should you have any further questions please do not hesitate to get
> >back to
> >>
> >>> me.
> >>
> >>>
> >>
> >>> Many thanks,
> >>
> >>>
> >>
> >>> Paulo Coimbra,
> >>
> >>> OWASP Project Manager<https://www.owasp.org/index.php/Main_Page>
> >>
> >>>
> >>
> >>> From: Paulo Coimbra [mailto:paulo.coimbra at owasp.org]
> >>
> >>> Sent: quarta-feira, 11 de Novembro de 2009 18:41
> >>
> >>> To: 'Ryan Barnett'
> >>
> >>> Cc: 'Global Projects Committee'; 'OWASP Foundation Board List'
> >>
> >>> Subject: RE: ModSecurity Core Rule Set Project Status
> >>
> >>>
> >>
> >>> Hello Ryan,
> >>
> >>>
> >>
> >>> I thank you for getting back to me and congratulate you on the
> >progresses
> >>
> >>> the ModSecurity has already made.
> >>
> >>>
> >>
> >>> Regarding the release assessment, in accordance with the assessment
> >2.0
> >>
> >>> http://www.owasp.org/index.php/Assessing_Project_Releases, a Stable
> >>
> >>> Release requires 2 reviewers and it is recommended that an OWASP
> >board
> >>
> >>> member or Global Projects Committee (GPC) member be the second
> >reviewer.
> >>
> >>> Also, it says that ideally, reviewers should be an existing OWASP
> >project
> >>
> >>> leader or chapter leader.
> >>
> >>>
> >>
> >>> That being said, if you agree, I will contact both the GPC and the
> >Board to
> >>
> >>> find out if any of them can assume the review task.
> >>
> >>>
> >>
> >>> As for the second reviewer, given that the assessment prerequisites
> >use the
> >>
> >>> word ‘ideally’, and having into account the relevant OWASP past
> >>
> >>> contributions of both Ivan Ristic and Ofer Shezaf, I believe you
> >could
> >>
> >>> pick one of them without GPC (being carbon copied) opposition.
> >Please let
> >>
> >>> me know your thoughts on this.
> >>
> >>>
> >>
> >>> As for the operational process, I have already set up and filled in
> >the new
> >>
> >>> project details page
> >>
> >>>
> >http://www.owasp.org/index.php/GPC_Project_Details/OWASP_ModSecurity_C
> >ore_
> >>
> >>> Rule_Set_Project and linked it with your project page. Please let
> >me know
> >>
> >>> if you agree and, of course, feel free to change it as you find
> >best.
> >>
> >>>
> >>
> >>> To conclude, I have to inform you that currently the GPC is working
> >to
> >>
> >>> improve the template that supports the assessment process itself
> >(once
> >>
> >>> done it will be set up under the link ‘Release details: Main links,
> >>
> >>> release roadmap and
> >>
> >>>
> >assessment<http://www.owasp.org/index.php/Category:OWASP_Best_Practice
> >s:_W
> >>
> >>> eb_Application_Firewalls_-_Release_1.0.4>’). I believe this process
> >will be
> >>
> >>> completed very soon and thereafter we can re-trigger the evaluation
> >>
> >>> process. I apologise for any inconvenience this may cause.
> >>
> >>>
> >>
> >>> Many thanks, best regards,
> >>
> >>>
> >>
> >>> Paulo Coimbra,
> >>
> >>> OWASP Project Manager<https://www.owasp.org/index.php/Main_Page>
> >>
> >>>
> >>
> >>> From: Ryan Barnett [mailto:Ryan.Barnett at breach.com]
> >>
> >>> Sent: quarta-feira, 11 de Novembro de 2009 16:11
> >>
> >>> To: paulo.coimbra at owasp.org
> >>
> >>> Subject: ModSecurity Core Rule Set Project Status
> >>
> >>>
> >>
> >>> Hey Paulo,
> >>
> >>> I just wanted to touch base with you to get some guidance on next
> >steps for
> >>
> >>> promoting the CRS project from Alpha onto Beta or Release Quality.
> >>
> >>>
> >>
> >>>
> >http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Se
> >t_Pro
> >>
> >>> ject
> >>
> >>>
> >>
> >>> Our project already has stable releases and I have just uploaded
> >the
> >>
> >>> project overview PPT (same one I will be presenting tomorrow at
> >AppSec DC)
> >>
> >>> but I know that I need to get some Project Reviewers. I originally
> >had
> >>
> >>> both Ivan Ristic and Ofer Shezaf slated for these purposes but they
> >have
> >>
> >>> both stepped down as OWASP Local Chapter Leaders...
> >>
> >>>
> >>
> >>> Should I put a call out tho the OWASP leaders list asking for help?
> >>
> >>>
> >>
> >>> Thanks,
> >>
> >>> Ryan
> >>
> >>>
> >>