[Owasp-appsensor-project] AppSensor for Global Security Challenge?

Colin Watson colin.watson at owasp.org
Fri Jan 28 12:44:34 EST 2011 

Kevin

Thanks for these - I agree with them all, and have updated the
document (Draft 2 still, but the changes are in history).  In fact,
some of the points are very important.  I was hesitant to include the
phone and fax number since no-one on this list would be answering it,
and actually that answer is optional on the entry form.


Colin

On 28 January 2011 15:06, Kevin W. Wall <kevin.w.wall at gmail.com> wrote:
> I have a few minor comments / edits. See below.
> -kevin
>
> On 01/28/2011 06:04 AM, Colin Watson wrote:
>> Dear all
>>
>> The draft text has been altered, corrected, extended and updated with
>> suggestions from Alex, Jim, John and Michael.  I haven't had any
>> comments back from the Projects Committee, other than a "wow" from
>> Tom, so will be assuming its a "yes to proceed".  For those of you who
>> have offered to review it, and anyone else, please could you do so
>> now.
>>
>>    Draft 2
>>    http://www.owasp.org/index.php/AppSensor_GSS_IFSEC_2011#Draft_2
>>
>> In particular, please check:
>>
>> - Do we have the dates and other facts correct?
>
> You said 'Not Applicable' for phone #, yet on
> http://www.owasp.org/index.php/About_OWASP#Contacting_OWASP
>
> there are both phone and fax numbers listed:
>
>  301-275-9403 (phone)
>  301-604-8033 (fax)
>
> So I'm not sure that was intentional and you didn't want to list a
> phone # or just couldn't find one.
>
> Regarding Q6, since OWASP predates AppSensor by a good # of yrs, perhaps
> you should say (from
> http://www.owasp.org/index.php/About_OWASP#The_OWASP_Foundation)
> something like:
>
>        The OWASP Foundation came online on December 1st 2001 it was
>        established as a not-for-profit charitable organization in the
>        United States on April 21, 2004. The AppSensor project was
>        conceived in 2008.
>
> For Q9, since they state "select your answer(s)", you can pick more
> than one. I think you might list it like this:
>
>        Primary: Integrated Security IP Network Solutions
>        Secondary: Intruder Alarms
>
> as I think that IDS is mostly about alarming of suspected intrusion. (Of
> course, if they have a description somewhere of 'Intruder Alarms' being
> something completely difference--I see no detailed description of the
> choices--disregard this comment.)
>
> In Q11, I suggest adding a bullet something like this:
>
>        + AppSensor results in less false positives because it is
>          instrumented where it has context of the application.
>
> Note you could refer to the answer to Q13 here if you wished.
>
> False positives are a big reason why many don't use an IDS or have
> turned their's off, so I definitely think that's something that should
> be highlighted in Q11.
>
> For Q12, you mention the Creative Commons Attribution-ShareAlike 3.0
> license, but if I'm not mistaken, the source code itself is also
> delivered under a BSD license. At least I see statements like this
>
>        AppSensor is published by OWASP under the BSD license.
>        You should read and accept the LICENSE before you use,
>        modify, and/or redistribute this software.
>
> at the beginning of most of the source code.  So I think the BSD
> license should also be mentioned in Q12.
>
>> - Are the references to vendors, in Q15 (about understanding the
>> market) acceptable/accurate?
>> - Do we have the right set of deliverables for $10,000?
>> - Are the comments about Java, PHP and ASP.NET acceptable?
>> - Have we mis-represented anything/anyone?
>>
>> We have to submit our entry by Monday.
>
> In Q15, the 4th paragraph states:
>        Recent reports by analysts have indicated there is a
>        positive return on investment for build security into
>        software development processes in a formal manner:
>
> I believe that "for build security into ..." *should read*
> "for building security into ...".
>
> That's all that I found.  Really looks great Colin. Thanks for
> taking the initiative to do this.
>
> -kevin
> --
> Kevin W. Wall
> "The most likely way for the world to be destroyed, most experts agree,
> is by accident. That's where we come in; we're computer professionals.
> We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME
> _______________________________________________
> Owasp-appsensor-project mailing list
> Owasp-appsensor-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>

More information about the Owasp-appsensor-project mailing list