[Owasp-board] [Global_tools_and_project_committee] FW: REQUESTFOR DECISION/CALL FOR CONTRIBUTIONS TO UPDATE THE ASSESSMENTCRITERIA

Paulo Coimbra paulo.coimbra at owasp.org
Thu Mar 5 16:02:04 UTC 2009


Mike,

 

I thank your thoughts and, if I may, to trigger and open up the discussion,
I suggest sending your email to the leaders’ mailing list.

 

Regards,

 

Paulo Coimbra,

 <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager

 

From: Boberski, Michael [USA] [mailto:boberski_michael at bah.com] 
Sent: quinta-feira, 5 de Março de 2009 13:29
To: Dave Wichers; paulo.coimbra at owasp.org; OWASP Foundation Board List;
global_tools_and_project_committee at lists.owasp.org
Subject: RE: [Global_tools_and_project_committee] [Owasp-board] FW:
REQUESTFOR DECISION/CALL FOR CONTRIBUTIONS TO UPDATE THE ASSESSMENTCRITERIA

 

Team, OWASP is getting overly bureaucratic, it seems to me. 

 

I'd rather see people putting time/energy into tightening up their project
pages, tools, and project presentations/datasheets. An example are PHP and
.NET ESAPI, there's no published mapping of Java ESAPI to PHP/ESAPI, that
also should then identify which interfaces are being targeted for which
releases. I'm going to try to work with Andrew to fix that problem for PHP
since I may have a need for a PHP ESAPI for a customer engagement, but it's
still a good example. 

 

The more complete and professional a page/doc/tool looks, the easier it is
to identify the status and content of a doc/tool, the easier is to figure
out its usefulness and to promote its adoption. That a doc/tool has correct
content or works is taken as a given, that is completely secondary to the
initial figuring out if a doc/tool is a potential solution to one's problem
of the day.

 

I would also caution against downgrading projects, which is what one of the
comments seems to imply could happen. If you must address some perceived
contention over project assessment criteria, you should simply put dates
against ratings, and identify the criteria version that a project was
assessed against, then leave that rating alone as the criteria continues to
evolve over time. That is what more well-established and formal testing
programs for instance like Common Criteria and FIPS 140 do. I hope I am
misreading comments on this point however.

 

Best,

 

Mike B.

 

 

 

  _____  

From: global_tools_and_project_committee-bounces at lists.owasp.org
[mailto:global_tools_and_project_committee-bounces at lists.owasp.org] On
Behalf Of Dave Wichers
Sent: Wednesday, March 04, 2009 5:34 PM
To: paulo.coimbra at owasp.org; 'OWASP Foundation Board List';
global_tools_and_project_committee at lists.owasp.org
Subject: Re: [Global_tools_and_project_committee] [Owasp-board] FW:
REQUESTFOR DECISION/CALL FOR CONTRIBUTIONS TO UPDATE THE ASSESSMENTCRITERIA

I’m OK with this, although I’m not a big fan of many of the suggestions
below. But that’s OK. Lets get the ideas out there and we can then make some
decisions.

 

-Dave

 

From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Paulo Coimbra
Sent: Wednesday, March 04, 2009 11:25 AM
To: 'OWASP Foundation Board List';
global_tools_and_project_committee at lists.owasp.org
Subject: [Owasp-board] FW: REQUEST FOR DECISION/CALL FOR CONTRIBUTIONS TO
UPDATE THE ASSESSMENT CRITERIA
Importance: High

 

Board, Project’s Committee,

 

In consequence of the comments received in the last Committee meeting, I’ve
introduced the changes yellow underlined.  Please let me know if this email
can be sent off. 

 

Many thanks, regards,

 

Paulo

 

 

Hello Leaders,

 

I hope you are well. 

 

You better than anyone else know that OWASP as an organization has been
built by your continuous open contributions both by defining its mission,
organizational structure, rules and procedures and by leading the
application security projects that are its core of activity.

 

In my today’s call for contributions, procedures regarding projects
development’s stage assessment are the main issue.

 

As you may know, a system to evaluate OWASP projects is already in use and
actually consists in both a set of criteria
http://www.owasp.org/index.php/Category:OWASP_Project_Assessment and a
skeleton/frame to implement it
http://www.owasp.org/index.php/OWASP_Live_CD_2008_Project_-_Assessment_Frame
.

 

With other few subsequent modifications, this set of criteria has mainly
resulted of a vigorous discussion held through this mailing list almost a
year ago and since then it has been used in all newly set up projects. 

 

Since then this issue has been discussed consecutively in several different
contexts. In our Summit, for example, even if we haven’t committed a
specific slot of time to deal with this matter, it has collaterally arisen
throughout many project’s presentations. In addition, I regularly receive
from OWASP Board requests to make modifications, a systemic reflection is
being held within the Project’s Committee and, as result of my daily
handling of projects under review, I am obtaining some feedback from project
leaders and reviewers. 

 

Overall, the people with whom I’ve discussed this issue usually say that the
procedure can be improved and IMHO, even if I think the Assessment Criteria
is working and actually has been of great help, they are right. 

 

>From these discussions, I’ve retained that a handful of criteria have been
proposed but haven’t been implemented yet as forthcoming:

-          OWASP writing style (Tool projects/Release Quality),

-          Translation (Tools and Documentation/Release Quality),

-          Bi-monthly periodic news (Tools and Documentation/non specified
Quality status),

-          5 slide deck for OWASP Boot Camp project (Tools and
Documentation/Beta status),

-          Attribution rules (Tools and Documentation/non specified Quality
status), 

-          Compulsory Project Skeleton/Frame (Tools and Documentation/all
Quality status), 

-           Reviewer role - addition and clarification, 

http://owaspsoc2008.wordpress.com/2008/07/15/assessment-guidance/

-          Mentor role addition and definition.

In addition, as far as I am concerned, a few more structural comments have
also been made. Even without pointing out alternative technical solutions,
at least a  couple of them have questioned the rationale of working with
tables in wiki text and others have pointed out the willingness of having a
project’s page similar to, for example, this one http://www.hdiv.org/. 

 

Having said all the above with the intention of giving you a picture of the
current situation, I ask for your contribution so as to update the OWASP
Assessment Criteria. 

 

In operational terms, I’ve replicated the Assessment Criteria page
http://www.owasp.org/index.php/Category:OWASP_Project_Assessment_-_Update
and propose you introduce your changes directly on it. As soon as we finish
the discussion phase, all the contributions will be moved to the original
wiki page. With the goal of enhancing the discussion, I also propose you use
this mailing list to inform which changes are being proposed and the reason
or goal for doing so. We are also building a Google questionnaire to collect
your opinions and contributions and, as soon as it is finished, it will be
sent off.

 

Please do have into account that you proposals can have implications in the
assessment frame that we are currently using and, if it happens, please
present a compatible solution.  

 

To conclude, I would like to inform you that the Project’s Committee propose
that, as soon as we finish this discussion, we establish as a rule to apply
to all OWASP Projects that the quality categorization must respect the
revised assessment criteria which eventually will mean that all projects not
assessed under these rules will be placed under Alpha Quality status. 

 

I thank you all in anticipation and look forward to having your
indispensable feedback.

Regards,

 

Paulo Coimbra,

OWASP Project Manager <https://www.owasp.org/index.php/Main_Page> 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20090305/c171d0f6/attachment-0002.html>


More information about the Owasp-board mailing list