[Owasp-board] Fwd: OSWAP SoC 2008, RFP, question about "P027 - OWASP Application Security Verification Standard"

dinis cruz dinis.cruz at owasp.org
Thu Mar 20 02:11:42 UTC 2008

Hey Jeff & Dave

Did you worked with Mike in a project? (Check thread below for my exchange
with him on his SoC submission)

Do you remember any details of it?

---------- Forwarded message ----------
From: Mike Boberski <mike.boberski at cox.net>
Date: Wed, Mar 19, 2008 at 10:43 PM
Subject: RE: OSWAP SoC 2008, RFP, question about "P027 - OWASP Application
Security Verification Standard"
To: dinis cruz <dinis.cruz at owasp.org>

 Hi Dinis,

No worries w.r.t. email reply timing.

I'm clear on the objective.

I think I'll stick with my certification-based proposal. What I have in mind
is a self-certification scheme that would require review of
self-certification results by an OWASP validation board before being listed
as certified. One set of docs I propose would define the overall
certification framework, one set would define the requirements that
applications would be tested against.

Open source (w.r.t. participation in an open source community) is new to me,
I am only used to closed source if that's the right way to put it, but I
think I can leverage my closed source experience to propose a certification
framework and certification requirements that members of the community will
be able to buy into, I read Jeff's response carefully and understand the
objective. I would expect and look forward to talking with OWASP
members/community to further refine my proposals after producing at least
alpha quality versions of each of the deliverables that I have proposed.

I will re-review those documents further; I had found them (e.g.
presentations with the more than three different proposed levels etc.) and
taken an initial look before I wrote my proposal. I would definitely take
them as input/initial consideration as I would get started.

I would look forward to getting involved in the OWASP community, this seems
an opportunity to leverage my particularly vertical background/experience in
NSA and NIST security-related certification programs. For reference, it is
similar to Jeff's (minus law degree) and Dave's, before Aspect. I had even
worked with them briefly at one firm; it was a positive experiene, working
with them.


 - Mike

Mike Boberski
(At home)

*From:* dinis cruz [mailto:dinis.cruz at owasp.org]
*Sent:* Wednesday, March 19, 2008 12:30 PM
*To:* Mike Boberski
*Cc:* Jeff Williams; Dave Wichers; paulo.coimbra at owasp.org
*Subject:* Re: OSWAP SoC 2008, RFP, question about "P027 - OWASP Application
Security Verification Standard"

Hi Mike (sorry about the delay in this this reply (and thx for your

Anyway, see below some comments on your questions:

On Sun, Mar 16, 2008 at 9:21 PM, Mike Boberski <mike.boberski at cox.net>

>  Hi guys,
> I'm not sure who to direct this question to, so I apologize about the
> perhaps wider than necessary distribution.
> I am considering applying for the "P027 - OWASP Application Security
> Verification Standard" but would like to request some clarification about
> the RFP.
> QUESTION #1: Is part of the goal of RFP to define/propose an evaluation
> scheme framework (e.g. define who performs reviews against criteria, who
> reviews review results and decides an application is certified, etc.)?

The objective is to clarify what should be the baseline of an application
security review (since every single company out there does it differently,
and the buyer have no ways to actually evaluate it)

On your proposal (

you take the 'certification' route, which although desired, is currently
something that we at OWASP have not a clear vision on how it would work
(from who certify to who will enforce it, to what happens to the non
compliant). The first step is to create a document (which the community can
agree to) that represents what an 'Application Security Assessment (or
Verification)' should be.

If you haven't already, take a look at
that is something you should take into account (and reuse as much as
you can from it (In fact you probably should work within that OWASP project
and apply your ideas to what has already been done (Bob is a great guy and
he will be very happy to see his work evolve )))

Note that community participation and buy-in is critical for this to be a
success, and for reference, one of Bob's problem was lack of community
participation to his ideas, so it might be a good idea to get a couple of
security companies and 'buyers of security review services' into the mix.

> QUESTION #2: Are the level names that an application may be evaluated
> against using the proposed "OWASP Application Security Verification
> Standard" already defined? Or, are the three level names that are in the RFP
> intended as example level names? They don't match for example the levels
> defined in "Definition for Security Assessment Levels" on the OSWAP web
> site.

Well, they are suggested and you are more than welcome to normalize them and
propose a better set of names   :)

> QUESTION #3: Is part of the goal of RFP to produce something like CC part
> 2/3 and FIPS PUB 140-2, or instead something like CC CEM and FIPS 140-2
> DTR? If there are some combination of security functional and assurance
> requirements whatever they might be called already defined for the three
> levels identified in the RFP, I could not find them on the OSWAP web
> site. The levels for example identified in "Definition for Security
> Assessment Levels" on the OSWAP web site are undefined in terms of security
> requirements for each level.
I don't have any experience with the CC so I can't really answer that, but I
can tell you that at the moment nothing it really defined (in fact the main
objective of this project you are applying to, is to define A standard so
that clients can clearly know what to expect from their security reviews

  QUESTION #4: What does "Beta Quality" mean for this RFP, given "Beta
> Quality" is undefined in general for documentation on the OSWAP web site,
> and given this RFP is quite different than other OSWAP documentation RFPs in
> purpose (and perhaps depending on answers to the above, in scope). For
> example, it would seem necessarily that what would be proposed in a proposal
> as a "specific deliverable" would be a first complete draft of "OWASP
> Application Security Verification Standard" scheme documentation. Where,
> "complete" is defined as a first proposed way of implementing the different
> aspects of the scheme, within the scope of the RFP. This first proposed way
> would then necessarily need further OSWAP review and discussion and some
> sort of approval before the scheme could be implemented.

as you can see from (
http://www.owasp.org/index.php/Category:OWASP_Project_Assessment) we are
still in the process of what we expect from an beta OWASP documentation
project , but in your case I would expect at least a first version of this
standard (i.e. all sections with content, and something that could be used
in a real world assessment).

We would print it as a book (see http://stores.lulu.com/owasp), but I would
not expect that this would be the final version, since only when we have
that first version it is possible to try it and see where it works and where
it doesn't.

Finally, this type of standards are one area that our (OWASP) community is
very interested, so we (OWASP board) will help you as much as we can.

Best regards

Dinis Cruz
Chief OWASP Evangelist

  Thanks in advance,
>  - Mike
> -------------------
> Mike Boberski
> (At home)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20080320/7a306338/attachment-0002.html>

More information about the Owasp-board mailing list