[GPC] Fwd: OWASP Metrics Project

Paulo Coimbra paulo.coimbra at owasp.org
Thu Aug 20 15:12:47 EDT 2009

Hello Jeffrey,


I thank your interest in leading an OWASP Project -
roject - and send congratulations on Global Projects Committee's agreement
with handing over the project leadership to you.


As for the project management, please allow me a couple of directions.


Firstly, I recommend you glance at OWASP's Assessment Criteria -
https://www.owasp.org/index.php/Category:OWASP_Project_Assessment. As you
may know, this set of rules will be used both to push the project up the
ladder and to eventually assess it. In addition, I also recommend you
briefly check out this link
http://www.owasp.org/index.php/Guidelines_for_OWASP_Projects as a mean to
understand our process of setting up new projects.


Secondly, to complete the project's identification tab with its minimal
content, I ask you to please send me off ASAP the following data:


1.	Project Purpose (if you wish to rewrite its scope),
2.	Project Roadmap,
3.	Project main links (if any),
4.	Project License
5.	Project leader

a)      Project Leader email address, 

b)      Project Leader wiki account, 

6.	Project Maintainer (if any),

a)      Project Maintainer name,

b)      Project Maintainer email address,

c)        Project Maintainer wiki account,

7.	Project Contributor(s) (if any),

a)      Project Contributor(s) name,

b)      Project Contributor(s) email address(es),

c)       Project Contributor(s) wiki account(s).


Later on, as soon as you are ready to do so and before the assessment of
your first release, please send me off:


8.       Conference style presentation that describes the project in at
least 3 slides

9.	Project Flyer/Pamphlet (PDF file)


Please note that as your project matures, we would like to help promote your
project and apply some consistency across other OWASP projects. Please let
us know when you are nearing your first release so we can work with you on
some additional project requirements. If you like a preview of these
requirements, please see here
http://www.owasp.org/index.php/Assessing_Project_Health and here
http://www.owasp.org/index.php/Assessing_Project_Releases . 


As for now it's all - I wish you good work and thank you for supporting
OWASP mission.


Should you have any queries or require any further information please do not
hesitate to contact me. 


Many thanks, best regards,


Note: To create wiki account
<https://www.owasp.org/index.php/Special:Userlogin> s, please see here
<https://www.owasp.org/index.php/Tutorial>  and here
<http://www.owasp.org/index.php/User:Mtesauro>  how to do it and here
dentification>  an example of how it will be used.


Paulo Coimbra,

OWASP <https://www.owasp.org/index.php/Main_Page>  Project Manager


From: global-projects-committee-bounces at lists.owasp.org
[mailto:global-projects-committee-bounces at lists.owasp.org] On Behalf Of Brad
Sent: quinta-feira, 6 de Agosto de 2009 21:42
To: Jason Li
Cc: jeffrey.barto at ubs.com; Global Projects Committee
Subject: Re: [GPC] Fwd: OWASP Metrics Project


I'm good with it.

-Brad Causey

Never underestimate the time, expense, and effort an opponent will expend to
break a code. (Robert Morris)

On Mon, Aug 3, 2009 at 9:03 AM, Jason Li <jason.li at owasp.org> wrote:



I've been put into contact with Jeff Barto who is interested in contributing
to the OWASP Application Security Metrics Project. The project was declared
orphaned earlier. Jeff is willing to take up the leadership of this project.
See Jeff's vision in the thread below.


I'd like to add discussion of changing leaders to the agenda to tonight's
meeting (http://www.owasp.org/index.php/GPC_Agenda_2009-08-03).



---------- Forwarded message ----------
From: <Jeffrey.Barto at ubs.com>
Date: Thu, Jul 30, 2009 at 4:52 PM
Subject: RE: OWASP Metrics Project
To: jason.li at owasp.org, peter.dean at owasp.org
Cc: James.McGovern at thehartford.com, jbarto3 at sbcglobal.net

Hi Jason,


I have given quite a bit of thought to this area and separate software
metrics and security metrics with a bit of union between them.  Before we
get started here are my main concepts around security metrics:


1.  Security Metrics are either a direct metric or an indirect metric based
on the measurement criteria.  For instance # security flaws/module can be
directly measured at a given point in time where the results are compared to
known, mature data.  Indirect metrics are # security flaws/module that
cannot be compared to known, mature data.  


2.  All metrics must have a mathematical formula that is standard to compare
to any data gathered.


3.  Metrics can be used to estimate exposure in predetermined categories if
data is not mature.  This is Bayesian Inference.


4.  Metrics are useless without data gathering, classifications and
repeatable processes/tools.


5.  Metrics must be formula based or logically based.  For instance a
logically based metric would look like - # security flaws X <estimated new,
undiscovered flaws> / average # of flaws found in the same application
category.  Since estimated new, undiscovered flaws is a prediction.  This
metric would then provide a probability density function for each
application category.


6.  Metrics work on top of data and need statistics and probability to be
used effectively.


This is a bit of a shift from what the current site discusses, if you are
game I will lead.






Global-projects-committee mailing list
Global-projects-committee at lists.owasp.org


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/global-projects-committee/attachments/20090820/87995184/attachment-0001.html 

More information about the Global-projects-committee mailing list