[Owasp-board] Secure coding guide review

Paulo Coimbra paulo.coimbra at owasp.org
Thu Sep 9 00:04:47 UTC 2010

Hello Keith,


>From where I am answering you, Portugal, it’s already late - half hour after
midnight - and so I am obliged to be concise. Tomorrow I will respond you


Being so and firstly, regarding the assessment’s formal process itself,
please note that all the three reviews must be uploaded and so we still need
yours and Brad’s.






Secondly, as for rating the release as Stable one, in operational terms, it
seems to me it can be done as soon as the First and Second Reviewers agree
on doing that. 


However, since we have received quite a strong feedback through the leaders’
mailing list, may I ask if you have already addressed all the relevant
pointed out issues, e.g. the following ones?


-           ‘One quick note: this guide gives dangerous advice (HTML Entity
Encode all data sent to the client). It should advise contextual encoding´-
Jim Manico,


-          ‘I suggest a review against the guides and ASVS would productive’
– Jeff Williams, 


I thank all your efforts, patience and diligence.  I contact you again,
first thing on the morning.




Paulo Coimbra,

 <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager


From: Turpin, Keith N [mailto:keith.n.turpin at boeing.com] 
Sent: quarta-feira, 8 de Setembro de 2010 23:40
To: Paulo Coimbra
Subject: Secure coding guide review




I completed reviewing Ludovic Petit's feedback, which was mostly about the
opening structure of the document, and shared an updated version of the
document with him. I believe he supported moving to Release even before I
incorporated his input and he liked the changes.


I also reviewed all of the feedback from Brad Causey and sent him an updated
version for final review. I asked him to contact you if he approved the move
to Release or if he was unsure how to record his review.


Although not part of the formal review, I did get quite a bit of feedback,
mostly minor wording changes or typo corrections, from Michael Scovetta and
incorporated most of that as well.


I am working on creating an updated cross linked PDF file for the site now,
pending Brad's buy-off.


Assuming Brad likes what he sees, will it be possible to move this project
to Release before I present on it tomorrow afternoon. I will send you the
updated versions of the documents as soon as I hear from Brad or just prior
to the VIP party if I don't hear from him. I would want to get the new
versions posted even if the project reviews can't all be wrapped up in time.


I am rolling the document version to 1.1, in case anyone already downloaded
the originally posted version.


Also, please add the three gentleman that provided reviews as contributors
to the project. Thank you for all your help.



Keith Turpin CISSP, CSSLP

The Boeing Company

Information Security

(206) 683-9667


Email Notice: This communication may contain sensitive information. If you
are not the intended recipient, or believe that you have received this
communication in error, do not print, copy, retransmit, disseminate or
otherwise use the information. Respond to the sender that you have received
this e-mail in error, and delete the copy you received.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100909/36d754b9/attachment-0002.html>

More information about the Owasp-board mailing list