[Owasp-board] Fwd: OSWAP SoC 2008, RFP, question about "P027 - OWASP Application Security Verification Standard"

Jeff Williams jeff.williams at owasp.org
Thu Mar 20 03:00:43 UTC 2008

Mike worked briefly at Arca while Dave and I were there.  Arca was one of
the Common Criteria labs. He went on to work at Cygnacom, another one of the
labs as a lead evaluator (I think)?  It'll be interesting to see his
proposal - I'm not too interested in replicating the CC Scheme, but perhaps
he understands it well enough to create a workable scheme for our world.




Jeff Williams, Chair

 <http://www.owasp.org/> The OWASP Foundation

work: 410-707-1487

main: 301-604-4882


 <https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference> OWASP
AppSec NYC 2008 is coming...  are you ready?


From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of dinis cruz
Sent: Wednesday, March 19, 2008 10:12 PM
To: OWASP Foundation Board List
Subject: [Owasp-board] Fwd: OSWAP SoC 2008, RFP, question about "P027 -
OWASP Application Security Verification Standard"


Hey Jeff & Dave

Did you worked with Mike in a project? (Check thread below for my exchange
with him on his SoC submission)

Do you remember any details of it?


---------- Forwarded message ----------
From: Mike Boberski <mike.boberski at cox.net>
Date: Wed, Mar 19, 2008 at 10:43 PM
Subject: RE: OSWAP SoC 2008, RFP, question about "P027 - OWASP Application
Security Verification Standard"
To: dinis cruz <dinis.cruz at owasp.org>

Hi Dinis,


No worries w.r.t. email reply timing.


I'm clear on the objective.


I think I'll stick with my certification-based proposal. What I have in mind
is a self-certification scheme that would require review of
self-certification results by an OWASP validation board before being listed
as certified. One set of docs I propose would define the overall
certification framework, one set would define the requirements that
applications would be tested against.


Open source (w.r.t. participation in an open source community) is new to me,
I am only used to closed source if that's the right way to put it, but I
think I can leverage my closed source experience to propose a certification
framework and certification requirements that members of the community will
be able to buy into, I read Jeff's response carefully and understand the
objective. I would expect and look forward to talking with OWASP
members/community to further refine my proposals after producing at least
alpha quality versions of each of the deliverables that I have proposed.


I will re-review those documents further; I had found them (e.g.
presentations with the more than three different proposed levels etc.) and
taken an initial look before I wrote my proposal. I would definitely take
them as input/initial consideration as I would get started.


I would look forward to getting involved in the OWASP community, this seems
an opportunity to leverage my particularly vertical background/experience in
NSA and NIST security-related certification programs. For reference, it is
similar to Jeff's (minus law degree) and Dave's, before Aspect. I had even
worked with them briefly at one firm; it was a positive experiene, working
with them.




- Mike



Mike Boberski 
(At home)




From: dinis cruz [mailto:dinis.cruz at owasp.org] 
Sent: Wednesday, March 19, 2008 12:30 PM
To: Mike Boberski
Cc: Jeff Williams; Dave Wichers; paulo.coimbra at owasp.org
Subject: Re: OSWAP SoC 2008, RFP, question about "P027 - OWASP Application
Security Verification Standard"

Hi Mike (sorry about the delay in this this reply (and thx for your

Anyway, see below some comments on your questions:

On Sun, Mar 16, 2008 at 9:21 PM, Mike Boberski <mike.boberski at cox.net>

Hi guys,


I'm not sure who to direct this question to, so I apologize about the
perhaps wider than necessary distribution.


I am considering applying for the "P027 - OWASP Application Security
Verification Standard" but would like to request some clarification about
the RFP.


QUESTION #1: Is part of the goal of RFP to define/propose an evaluation
scheme framework (e.g. define who performs reviews against criteria, who
reviews review results and decides an application is certified, etc.)?

The objective is to clarify what should be the baseline of an application
security review (since every single company out there does it differently,
and the buyer have no ways to actually evaluate it)

On your proposal (
Application_Security_Verification_Standard) you take the 'certification'
route, which although desired, is currently something that we at OWASP have
not a clear vision on how it would work (from who certify to who will
enforce it, to what happens to the non compliant). The first step is to
create a document (which the community can agree to) that represents what an
'Application Security Assessment (or Verification)' should be.

If you haven't already, take a look at
t_Standards_Project since that is something you should take into account
(and reuse as much as you can from it (In fact you probably should work
within that OWASP project and apply your ideas to what has already been done
(Bob is a great guy and he will be very happy to see his work evolve )))

Note that community participation and buy-in is critical for this to be a
success, and for reference, one of Bob's problem was lack of community
participation to his ideas, so it might be a good idea to get a couple of
security companies and 'buyers of security review services' into the mix.


QUESTION #2: Are the level names that an application may be evaluated
against using the proposed "OWASP Application Security Verification
Standard" already defined? Or, are the three level names that are in the RFP
intended as example level names? They don't match for example the levels
defined in "Definition for Security Assessment Levels" on the OSWAP web


Well, they are suggested and you are more than welcome to normalize them and
propose a better set of names   :)


QUESTION #3: Is part of the goal of RFP to produce something like CC part
2/3 and FIPS PUB 140-2, or instead something like CC CEM and FIPS 140-2 DTR?
If there are some combination of security functional and assurance
requirements whatever they might be called already defined for the three
levels identified in the RFP, I could not find them on the OSWAP web site.
The levels for example identified in "Definition for Security Assessment
Levels" on the OSWAP web site are undefined in terms of security
requirements for each level.


I don't have any experience with the CC so I can't really answer that, but I
can tell you that at the moment nothing it really defined (in fact the main
objective of this project you are applying to, is to define A standard so
that clients can clearly know what to expect from their security reviews

QUESTION #4: What does "Beta Quality" mean for this RFP, given "Beta
Quality" is undefined in general for documentation on the OSWAP web site,
and given this RFP is quite different than other OSWAP documentation RFPs in
purpose (and perhaps depending on answers to the above, in scope). For
example, it would seem necessarily that what would be proposed in a proposal
as a "specific deliverable" would be a first complete draft of "OWASP
Application Security Verification Standard" scheme documentation. Where,
"complete" is defined as a first proposed way of implementing the different
aspects of the scheme, within the scope of the RFP. This first proposed way
would then necessarily need further OSWAP review and discussion and some
sort of approval before the scheme could be implemented.


as you can see from
(http://www.owasp.org/index.php/Category:OWASP_Project_Assessment) we are
still in the process of what we expect from an beta OWASP documentation
project , but in your case I would expect at least a first version of this
standard (i.e. all sections with content, and something that could be used
in a real world assessment).

We would print it as a book (see http://stores.lulu.com/owasp), but I would
not expect that this would be the final version, since only when we have
that first version it is possible to try it and see where it works and where
it doesn't.

Finally, this type of standards are one area that our (OWASP) community is
very interested, so we (OWASP board) will help you as much as we can.

Best regards

Dinis Cruz
Chief OWASP Evangelist

Thanks in advance,


- Mike



Mike Boberski 
(At home)




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20080319/2fe8d0a8/attachment-0002.html>

More information about the Owasp-board mailing list