[Owasp-appsensor-project] AppSensor for Global Security Challenge?

[Kevin W. Wall]

I have a few minor comments / edits. See below.
-kevin

On 01/28/2011 06:04 AM, Colin Watson wrote:
> Dear all
> 
> The draft text has been altered, corrected, extended and updated with
> suggestions from Alex, Jim, John and Michael.  I haven't had any
> comments back from the Projects Committee, other than a "wow" from
> Tom, so will be assuming its a "yes to proceed".  For those of you who
> have offered to review it, and anyone else, please could you do so
> now.
> 
>    Draft 2
>    http://www.owasp.org/index.php/AppSensor_GSS_IFSEC_2011#Draft_2
> 
> In particular, please check:
> 
> - Do we have the dates and other facts correct?

You said 'Not Applicable' for phone #, yet on
http://www.owasp.org/index.php/About_OWASP#Contacting_OWASP

there are both phone and fax numbers listed:

 301-275-9403 (phone)
 301-604-8033 (fax)

So I'm not sure that was intentional and you didn't want to list a
phone # or just couldn't find one.

Regarding Q6, since OWASP predates AppSensor by a good # of yrs, perhaps
you should say (from
http://www.owasp.org/index.php/About_OWASP#The_OWASP_Foundation)
something like:

	The OWASP Foundation came online on December 1st 2001 it was
	established as a not-for-profit charitable organization in the
	United States on April 21, 2004. The AppSensor project was
	conceived in 2008.

For Q9, since they state "select your answer(s)", you can pick more
than one. I think you might list it like this:

	Primary: Integrated Security IP Network Solutions
	Secondary: Intruder Alarms

as I think that IDS is mostly about alarming of suspected intrusion. (Of
course, if they have a description somewhere of 'Intruder Alarms' being
something completely difference--I see no detailed description of the
choices--disregard this comment.)

In Q11, I suggest adding a bullet something like this:

	+ AppSensor results in less false positives because it is
	  instrumented where it has context of the application.

Note you could refer to the answer to Q13 here if you wished.

False positives are a big reason why many don't use an IDS or have
turned their's off, so I definitely think that's something that should
be highlighted in Q11.

For Q12, you mention the Creative Commons Attribution-ShareAlike 3.0
license, but if I'm not mistaken, the source code itself is also
delivered under a BSD license. At least I see statements like this

	AppSensor is published by OWASP under the BSD license.
	You should read and accept the LICENSE before you use,
	modify, and/or redistribute this software.

at the beginning of most of the source code.  So I think the BSD
license should also be mentioned in Q12.

> - Are the references to vendors, in Q15 (about understanding the
> market) acceptable/accurate?
> - Do we have the right set of deliverables for $10,000?
> - Are the comments about Java, PHP and ASP.NET acceptable?
> - Have we mis-represented anything/anyone?
> 
> We have to submit our entry by Monday.

In Q15, the 4th paragraph states:
	Recent reports by analysts have indicated there is a
	positive return on investment for build security into
	software development processes in a formal manner:

I believe that "for build security into ..." *should read*
"for building security into ...".

That's all that I found.  Really looks great Colin. Thanks for
taking the initiative to do this.

-kevin
-- 
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME