[Owasp-board] [Owasp-leaders] Next Release of the Secure Web Application Framework Manifesto

Paulo Coimbra paulo.coimbra at owasp.org
Fri Oct 8 22:42:22 UTC 2010


Hello Rohit et al,

 

Firstly, I had created the project page a couple of days but haven't had the
opportunity as of yet to write this email down. 

 

The
http://www.owasp.org/index.php/OWASP_Secure_Web_Application_Framework_Manife
sto#tab=Project_About wiki page has been placed amongst all the other OWASP
Projects
http://www.owasp.org/index.php/Category:OWASP_Project#tab=Alpha_Status_Proje
cts 

 

Please check it out and let me know if you find any problems or mistakes. 

 

Feel free to add any additional information to the project's wiki page or to
request assistance regarding its edition.

 

Please note that we are missing wiki username Tom's and Patrick's OWASP/wiki
usernames. We recommend that every project leader or contributor creates a
wiki account and makes it available on his project page. Those elements will
help us with building a proper idea of their technical profile and will
facilitate the contact within OWASP contributors. Please see below the
tutorial's first paragraph and an example. 

 

http://www.owasp.org/index.php/Tutorial

 

http://www.owasp.org/index.php/User:Mtesauro 

 

I also ask if you please can find the cycles to fill in the following links:

 

http://www.owasp.org/index.php/OWASP_Secure_Web_Application_Framework_Manife
sto/Roadmap

 

http://www.owasp.org/index.php/Projects/OWASP_Secure_Web_Application_Framewo
rk_Manifesto/Releases/SWAF_Manifesto_v0.08/Notes 

 

Secondly, when your project reaches a point that you'd like OWASP to assist
in its promotion, the GPC will need the following to help spread the word
about your project:


 * Project Flyer/Pamphlet (PDF file):
http://globalprojectscommittee.wordpress.com/2009/07/21/what-is-this-project
-flyerpamphlet-thing/. 

 

 * Conference style presentation describing the project in at least 3 slides
-
http://globalprojectscommittee.wordpress.com/2009/07/27/what-is-the-3x-slide
-presentation-thing/

 

Thirdly, as work on your project progresses and you are ready to create a
new release, please let the GPC know of the change in status.  

 

The GPC can work with you to get your project assessed and moved up the
OWASP quality ladder from Alpha to Beta to Stable.  Not every release
requires an assessment - feel free to email the GPC if you are unsure about
your project's requirements.  


That is all for now - I wish you and your project great success.  Thank you
for supporting OWASP's mission.

Should you have any questions or require any further information, please do
not hesitate to contact me. 

 

Many thanks, best regards,

 

PS. Please let me know whether or not you wish OWASP email addresses. 

 

Paulo Coimbra,

 <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager

 

From: Sethi, Rohit [mailto:rohit at securitycompass.com] 
Sent: sexta-feira, 8 de Outubro de 2010 20:51
To: Sethi, Rohit; Paulo Coimbra; Chan, Yuk Fai
Cc: 'dinis cruz'
Subject: RE: [Owasp-leaders] Next Release of the Secure Web Application
Framework Manifesto

 

Paulo, it looks like you did indeed set this up. My apologies! I missed the
email for some reason

 

Rohit Sethi

Director, Professional Services

Security Compass

http://www.securitycompass.com <http://www.securitycompass.com/> 

Direct : 888-777-2211 ext. 102

Mobile: 732.546.4473

Twitter: rksethi

 

From: Sethi, Rohit 
Sent: Friday, October 08, 2010 3:44 PM
To: 'Paulo Coimbra'; Chan, Yuk Fai
Cc: 'dinis cruz'
Subject: RE: [Owasp-leaders] Next Release of the Secure Web Application
Framework Manifesto

 

Hi Paulo, just wanted to casually ping you and see if there's been any
process? Sorry if I'm pinging too much - just getting eager :)

 

Rohit Sethi

Director, Professional Services

Security Compass

http://www.securitycompass.com <http://www.securitycompass.com/> 

Direct : 888-777-2211 ext. 102

Mobile: 732.546.4473

Twitter: rksethi

 

From: Paulo Coimbra [mailto:paulo.coimbra at owasp.org] 
Sent: Friday, September 24, 2010 3:20 PM
To: Sethi, Rohit; Chan, Yuk Fai
Cc: 'dinis cruz'
Subject: RE: [Owasp-leaders] Next Release of the Secure Web Application
Framework Manifesto

 

Rohit and Yuk,

 

Clearly I owe you both an apology and a clear explanation for my delayed
answer. The true is that a sequence of not deferrable personal issues has
kept me out of work for a considerable period of time and consequently I
haven't been able to seasonably deal with my OWASP duties. I sincerely
apologise and will try to set up this project as soon as possible. Please,
give me a couple more days and I will get back to you.

 

I thank your patience and your support of OWASP. 

 

Best regards,

 

Paulo Coimbra,

 <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager

 

From: Sethi, Rohit [mailto:rohit at securitycompass.com] 
Sent: sexta-feira, 24 de Setembro de 2010 20:04
To: Chan, Yuk Fai; paulo.coimbra at owasp.org
Cc: Sethi, Rohit
Subject: RE: [Owasp-leaders] Next Release of the Secure Web Application
Framework Manifesto

 

Hi Paulo, any luck in moving this forward?

 

Thanks,

 

Rohit Sethi

Director, Professional Services

Security Compass

http://www.securitycompass.com <http://www.securitycompass.com/> 

Direct : 888-777-2211 ext. 102

Mobile: 732.546.4473

Twitter: rksethi

 

From: Chan, Yuk Fai 
Sent: Thursday, September 09, 2010 4:58 PM
To: paulo.coimbra at owasp.org
Cc: Sethi, Rohit
Subject: Re: [Owasp-leaders] Next Release of the Secure Web Application
Framework Manifesto

 

Hi Paulo,

 

I'm Yuk Fai, and I will be the maintainer / contact person for this project.
Thank you for getting back to us. As requested, here are the details about
our project:

 

Title

Secure Web Application Framework Manifesto

 

Project Purpose / Overview

The Secure Web Application Framework Manifesto is a document detailing a
specific set of security requirements for developers of web application
frameworks to adhere to. The goal is to help develop more secure
applications from the start. The manifesto centers around the following
beliefs:

.        Frameworks that are 'secure by default' will yield a dramatic
reduction in the number of common web application security vulnerabilities.

.        Application security experts should provide, on a regularly basis,
updated guidance to framework developers on how to incorporate mechanisms to
avoid newly discovered vulnerabilities.

Project Roadmap

.        Most of the documentation is already written (see attached
document).

.        We aim to release a first draft of the manifesto by the end of
2010.

.        We want to solicit feedback from the security community and update
the requirements periodically.

.        We want to push the web application frameworks to evaluate
themselves against these requirements.

.        Ideally, we would also like to start an offshoot web application
framework project (e.g. Django-Sec) that incorporates many of these
requirements.

Project links

http://labs.securitycompass.com/

 

Project License

Creative Commons Attribution ShareAlike 3.0 license

 

Project Leader

Rohit Sethi

rohit at securitycompass.com

wiki username: rksethi

 

Project Maintainer

Yuk Fai Chan

yukfai at securitycompass.com

wiki username: account pending approval

 

Project Contributors

Tom Aratyn

tom at securitycompass.com

 

Sahba Kazerooni

sahba at securitycompass.com

 

Patrick Szeto

patrick at securitycompass.com

 

As mentioned above, I have attached a copy of our manifesto for your
reference. 

 

We would very much appreciated your feedback on our project. Please feel
free to contact me if you have any questions or need any additional
information.

 

Thanks, and regards,

 

 

Yuk Fai Chan

Security Consultant

Security Compass

http://www.securitycompass.com <http://www.securitycompass.com/> 

 

From: Paulo Coimbra [mailto:paulo.coimbra at owasp.org] 
Sent: Wednesday, June 16, 2010 11:14 AM
To: Sethi, Rohit
Cc: 'Global Projects Committee'
Subject: RE: [Owasp-leaders] Next Release of the Secure Web Application
Framework Manifesto

 

Hello Rohit,

 

Hope you are well. I apologise for my delayed response. As you have guessed,
as result of a holiday period, I got swamped in a backlog of emails.

 

First of all, thank you for volunteering to lead another OWASP Project.  It
is with volunteers like yourself that OWASP continues to succeed in making
application security visible.

Second, regarding your new leadership of this project, I'd like to request
that you send (if possible) a project roadmap - basically the high level
details of where you'd like to take the project.  The OWASP Global Projects
Committee (GPC) will look at the roadmap and provide feedback on your
project:  suggesting projects which are closely related, resources and
contacts which may assist your efforts and any other suggestions to increase
your project's success.

 

To get your project started, here are a couple of references for your
review:

 - The Guidelines for OWASP Projects provide a quick overview of items key
to a projects success -
http://www.owasp.org/index.php/Guidelines_for_OWASP_Projects,


 - OWASP's Assessment Criteria is the metric by which projects are
evaluated.  There are three categories for projects: Alpha, Beta, and
Release.  The Assessment Criteria allows project leaders to know what
aspects of projects OWASP values -
http://www.owasp.org/index.php/Category:OWASP_Project_Assessment,

 

 - OWASP's GPC blog - http://globalprojectscommittee.wordpress.com/,


Your project will have an OWASP wiki page to inform and promote your project
to the OWASP community.  To setup your project's page, please provide the
details below so that the GPC can establish your initial project page.  The
details provided will be used to complete OWASP's project template.  Feel
free to add any additional information to wiki page or request assistance
about how to add to your projects wiki page.

Details to create your project page:
(0) Project Name,

(1) Project purpose / overview,
(2) Project Roadmap (as mentioned above),
(3) Project links (if any) to external sites,
(4) Project License
(http://www.owasp.org/index.php/Guidelines_for_OWASP_Projects#Project_Licens
ing),
(5) Project Leader name, 

(6) Project Leader email address,
(7) Project Leader wiki account - the username (you'll need this to edit the
wiki),
(8) Project Maintainer (if any)  - name, email and wiki account (if any),
(9) Project Contributor(s) (if any) - name email and wiki account (if any),

As your project reaches a point that you'd like OWASP to assist in its
promotion, the GPC will need the following to help spread the word about
your project:

 * Conference style presentation describing the project in at least 3 slides
-
http://globalprojectscommittee.wordpress.com/2009/07/27/what-is-the-3x-slide
-presentation-thing/


 * Project Flyer/Pamphlet (PDF file) -
http://globalprojectscommittee.wordpress.com/2009/07/21/what-is-this-project
-flyerpamphlet-thing/


As work on your project progresses and you are ready to create a release,
please let the GPC know of the change in status.  The GPC can work with you
to get your project assessed and moved up the OWASP quality ladder from
Alpha to Beta to Stable.  Every release does not require an assessment -
feel free to email the GPC if you are unsure about your project's
requirements.  For examples of projects at various quality levels, please
see the OWASP Project page -
http://www.owasp.org/index.php/Category:OWASP_Project

 

That is all for now - I wish you and your project great success.  Thank you
for supporting OWASP's mission.

Should you have any questions or require any further information, please do
not hesitate to contact me. 

 

Many thanks, best regards,

 

Paulo Coimbra,

OWASP Project Manager <https://www.owasp.org/index.php/Main_Page> 

 

From: Sethi, Rohit [mailto:rohit at securitycompass.com] 
Sent: quarta-feira, 16 de Junho de 2010 15:52
To: Paulo Coimbra
Cc: Sethi, Rohit
Subject: RE: [Owasp-leaders] Next Release of the Secure Web Application
Framework Manifesto

 

Hi Paulo, I realize you're probably swamped in a backlog of emails but just
wanted to follow-up quickly on this

 

Thanks,

 

Rohit Sethi


Director, Professional Services

Security Compass

http://www.securitycompass.com <http://www.securitycompass.com/> 

Direct : 888-777-2211 ext. 102

Mobile: 732.546.4473

Twitter: rksethi

 

From: Sethi, Rohit 
Sent: Monday, June 07, 2010 3:06 PM
To: Paulo Coimbra
Cc: global-projects-committee at lists.owasp.org; Sethi, Rohit
Subject: RE: [Owasp-leaders] Next Release of the Secure Web Application
Framework Manifesto

 

Hi Paulo, can we get started on making this into an OWASP project?

 

Thanks,

 

Rohit Sethi

Director, Professional Services

Security Compass

http://www.securitycompass.com <http://www.securitycompass.com/> 

Direct : 888-777-2211 ext. 102

Mobile: 732.546.4473

Twitter: rksethi

 

From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Sethi, Rohit
Sent: Thursday, May 06, 2010 11:52 AM
To: owasp-leaders at lists.owasp.org
Subject: [Owasp-leaders] Next Release of the Secure Web Application
Framework Manifesto

 

Hi all, we've released version 0.08 of the Secure Web Application Framework
Manifesto at http://labs.securitycompass.com

 

This is 2nd public release of the document. Our goal is to provide a list of
requirements so that web application frameworks offer more security out of
the box. Our next step will be to move this over to an OWASP project, and
then to solicit participation from framework developers. If anyone
participates in or knows of the developers of  the Django or Lift web app
frameworks please let me know. As always, we look forward to any suggestions
you have.

 

We had a lot of feedback on additional requirements from our previous
release. We took the approach of actually reducing the total number of
requirements in this release so that we have a greater chance of achieving
success with the frameworks. We plan on adding to the requirements in future
years.

 

Thanks,

 

Rohit Sethi

Director, Professional Services

Security Compass

http://www.securitycompass.com <http://www.securitycompass.com/> 

Direct : 888-777-2211 ext. 102

Mobile: 732.546.4473

Twitter: rksethi

 

No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 9.0.829 / Virus Database: 271.1.1/2927 - Release Date: 06/09/10
02:35:00

No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 9.0.829 / Virus Database: 271.1.1/2940 - Release Date: 06/16/10
02:35:00

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20101008/fdd1f776/attachment-0002.html>


More information about the Owasp-board mailing list