[Owasp-board] FW: Project status: Use of Web Application Firewalls

Paulo Coimbra pcoimbra at owasp.org
Wed Aug 31 09:52:20 UTC 2011


All,

Having into account what all people has already said about this issue, on
top of the project leader self assessment, I propose we pick three reviewers
as follows:
* Self Assessment ­ Achim,
* First Reviewer ­ Arian,
* Second Reviewer ­ Ryan
* Third Reviewer ­ Eoin.
Please let me know about any disagreement with the path I am proposing so
that we can proceed.

Thanks,
- Paulo

Paulo Coimbra
OWASP Project Manager <https://www.owasp.org/index.php/User:Paulo_Coimbra>

From:  Tom Brennan <tomb at owasp.org>
Date:  Tue, 30 Aug 2011 23:19:26 -0400
To:  Paulo Coimbra <pcoimbra at owasp.org>
Cc:  OWASP Foundation Board List <owasp-board at lists.owasp.org>, Achim
<achim at owasp.org>, GPC <global-projects-committee at lists.owasp.org>, Eoin
Keary <eoin.keary at owasp.org>
Subject:  Re: [Owasp-board] FW: Project status: Use of Web Application
Firewalls

Ryan and Arian would be ideal for this effort IMHO


On Aug 30, 2011, at 3:38 PM, Eoin wrote:

> 
> Happy to help if you need a second pair of eyes.
> 
>  
> 
> On 30 Aug 2011, at 20:19, Paulo Coimbra <pcoimbra at owasp.org> wrote:
> 
>> Board & GPC,
>> 
>> As you can see below we are preparing the process of assessing (Stable
>> target) the latest release of the OWASP Best Practices: Use of Web
>> Application Firewalls Project.
>> 
>> What's more, as you know, in accordance with our current assessment criteria,
>> "It is recommended that an OWASP board member or Global Projects Committee
>> member be the second reviewer on Stable releases".
>> 
>> Consequently and even though Achim Hoffmann has already suggested three names
>> to act as first and second reviewers, i.e., Ryan Barnett, Arian Evans and
>> Anurag Agrawal, to comply with our rules, I need to ask you all if any of you
>> want to exercise the right of steeping in and act in this release assessment
>> as Second Reviewer.
>> 
>> If you agree, in the circumstance of absence of answer from you, I will
>> assume that Achim can choose both reviewers from the set of three firstly
>> suggested.
>>   
>> Thanks,
>> - Paulo
>> 
>> Paulo Coimbra
>> OWASP Project Manager <https://www.owasp.org/index.php/User:Paulo_Coimbra>
>> 
>> From:  Paulo Coimbra < <mailto:pcoimbra at owasp.org> pcoimbra at owasp.org>
>> Date:  Tue, 30 Aug 2011 20:06:35 +0100
>> To:  Achim < <mailto:achim at owasp.org> achim at owasp.org>
>> Cc:  OWASP Foundation Board List < <mailto:owasp-board at lists.owasp.org>
>> owasp-board at lists.owasp.org>, GPC <
>> <mailto:global-projects-committee at lists.owasp.org>
>> global-projects-committee at lists.owasp.org>
>> Subject:  Re: Project status: Use of Web Application Firewalls
>> 
>> Hello Achim,
>> 
>> I have merged the two distinct pages the project anteriorly had as follows:
>> 
>>  
>> <https://owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Applic
>> ation_Firewalls#tab=Project_About>
>> https://owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Applica
>> tion_Firewalls#tab=Project_About
>> 
>>  
>> <https://owasp.org/index.php?title=Best_Practices:_Web_Application_Firewalls&
>> redirect=no> 
>> https://owasp.org/index.php?title=Best_Practices:_Web_Application_Firewalls&r
>> edirect=no 
>> 
>> Please check it out and let me know if you agree with the introduced changes
>> or, otherwise, I will reverse them.
>> 
>> As for the release assessment, I have carefully looked at the project's
>> outputs and it seemed to me that the latest english wiki release (version
>> 1.0.5) still doesn't have equivalent pdf. Would it be possible for you
>> (and/or the German Chapter) to create it, please? Or do you prefer we assess
>> the version 1.0.4?
>> 
>> As for the assessment process itself, if you are targeting Stable Status the
>> procedure is as follows.
>> * Stable release: The project lead completes the pre-assessment checklist.
>> Then, the two project reviewers will complete their review of the release
>> (more on this below). After the reviews are complete, the Global Projects
>> Committee and OWASP Board will validate the project's review,
>> *  Stable release: 2 reviewers are required. Second review has special
>> requirements.
>> * 
>> * Ideally, per project release, the project leader will propose the
>> reviewer(s),
>> * Ideally, reviewers should be an existing OWASP project leader or chapter
>> leader.
>> * If the project lead is unable to find the required reviewer(s), the Global
>> Projects Committee can assist in identifying reviewer(s) for the project.
>> * It is recommended that an OWASP board member or Global Projects Committee
>> member be the second reviewer on Stable releases. The board has the initial
>> option to review the project, followed by the Global Projects Committee.
>> * The Global Projects Committee confirms the assignment of reviewers to a
>> project.
>> Having the above into account, I will ask to the Board and the GPC members
>> whether they want to perform the role of second reviewer. I will let them
>> know that you have already three different names to act as first and second
>> reviewers. In the circumstance they don't step in, I will get back to you
>> again for you to clarify from the set of three names what two you ultimate
>> chose for First and Second Reviewer.
>> 
>> Thanks,
>> - Paulo
>> 
>> Paulo Coimbra
>> OWASP Project Manager <https://www.owasp.org/index.php/User:Paulo_Coimbra>
>> 
>> From:  Achim < <mailto:achim at owasp.org> achim at owasp.org>
>> Reply-To:  Achim < <mailto:achim at owasp.org> achim at owasp.org>
>> Date:  Tue, 30 Aug 2011 09:40:19 +0200
>> To:  Paulo Coimbra < <mailto:pcoimbra at owasp.org> pcoimbra at owasp.org>
>> Subject:  Re: Project status: Use of Web Application Firewalls
>> 
>> Hi Paulo,
>> 
>> please see inline below.
>> 
>> Ciao
>> Achim
>> 
>> Am 29.08.2011 18:58, schrieb Paulo Coimbra:
>>>  Hello Achim,
>> ...
>>>  
>>>  As for you question, regarding the project, I would say that we just need
>>> to
>>>  assess it in accordance with the criteria here
>>>   <https://www.owasp.org/index.php/Documents_Assessment_Criteria>
>>> https://www.owasp.org/index.php/Documents_Assessment_Criteria mentioned.
>> 
>> The document fulfills the these criteria as follows:
>> 
>> ==>  <https://www.owasp.org/index.php/Documents_Assessment_Criteria>
>> https://www.owasp.org/index.php/Documents_Assessment_Criteria
>>   * Alpha Release Document Criteria
>> 1. wiki page minumum? yes, see below
>> 2. open license? yes
>> 3. PDF available? yes
>> 4. project Category? yes (I guess)
>> 5. roadmap? no, as it is final
>> 
>>   * Beta Release Document Criteria
>> 1. alpha complete? yes
>> 2. all on OWASP wiki? yes
>> 3. about this? yes
>> (see "sheet overview", "Short Project Description", "Abstract")
>> Reviewer Action Items (my comments:)
>> 1. OWASP Writing Style? yes (mainly, as it is a translation)
>> 2. wiki matches doc? yes
>> 3. "About this .."? yes (it's headed "Abstract")
>> 4. how complete? it's complete
>> 
>>   * Stable Release Document Criteria
>> 1. alpha and beta? yes
>> 2. documented limitations? yes (inside the ducument itself)
>> 3. OWASP Writing Style? yes (mainly, as it is a translation)
>> 4. one sheet overview? no, as the template does not provide it
>> 5. format for book? unknown (is PDF sufficient?)
>> 
>> ==>  
>> <https://www.owasp.org/index.php/Assessing_Project_Health#Project_Wiki_Page_M
>> inimal_Content> 
>> https://www.owasp.org/index.php/Assessing_Project_Health#Project_Wiki_Page_Mi
>> nimal_Content
>>   * Project Wiki Page Minimal Content
>> 1. up to date project template? I guess yes
>> 2. conference style presentation? no (as it was not yet presented on OWASP
>> conferences)
>> but it's OWASP-style document, see
>>  <https://owasp.org/index.php/Best_Practices:_Web_Application_Firewalls>
>> https://owasp.org/index.php/Best_Practices:_Web_Application_Firewalls
>> 3. sheet overview? yes (see project link)
>> 4. working mailing list? yes
>> 5. application security issue? yes
>> 6. roadmap? no, as it is final
>> 7. project leader with wiki account? yes
>> Reviewer Action Items (my comments:) 1. OWASP Writing Style? ??
>> 2. wiki matches doc? yes
>> 3. "About this .."? yes (it's headed "Abstract")
>> 4. how complete? it's complete
>> 1. beta reviewer? no
>> 2. address app. security? yes
>> 3. OWASP Writing Style? yes (mainly, as it is a translation)
>> 4. documented limitations? yes (inside the ducument itself)
>> 5. recommend the doc? yes
>> 6. missing critical? no
>> 
>>>  
>>>  To better understand what I am saying, if I may, I suggest glancing at the
>>>  following two projects' releases:
>>>  
>>>   
>>> <https://www.owasp.org/index.php/Projects/OWASP_Zed_Attack_Proxy_Project/Rel
>>> e> 
>>> https://www.owasp.org/index.php/Projects/OWASP_Zed_Attack_Proxy_Project/Rele
>>>  ases/ZAP_1.3.0/Assessment
>>> 
>>>   
>>> <https://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_-_Qu
>>> i> 
>>> https://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_-_Qui
>>>  ck_Reference_Guide/Releases/SCP_v1/Assessment
>> 
>> 
>> Did it this way, see textual answers above.
>> (is there a wiki page/template to be completed?)
>> 
>>>  So, if you agree on the path I am above proposing, please let me know and
>>>  will consequently install the new GPC templates needed to support the
>>>  assessment process.
>> 
>> ahh, these are the tempates I'm asking for above :)
>> 
>>>  It would be also useful if you could tell me whether you
>>>  propose the needed two reviewers or if want I find them for you
>>>   <https://www.owasp.org/index.php/Assessing_Project_Releases>
>>> https://www.owasp.org/index.php/Assessing_Project_Releases.
>> 
>> Ryan Barnett likes this document, so he surely qualifies best as reviewer.
>> And probably Arian Evans or Anurag Agrawal can review it also.
>>  
>>>  Looking forward to hearing back from you.
>>>  
>>>  Thanks,
>>>  - Paulo
>>>  
>>>  Paulo Coimbra
>>>  OWASP Project Manager <
>>> <https://www.owasp.org/index.php/User:Paulo_Coimbra>
>>> https://www.owasp.org/index.php/User:Paulo_Coimbra>
>>>  
>>>  From:  Achim < <mailto:achim at owasp.org> achim at owasp.org>
>>>  Reply-To:  Achim < <mailto:achim at owasp.org> achim at owasp.org>
>>>  Date:  Thu, 25 Aug 2011 13:55:02 +0200
>>>  To:  Paulo Coimbra < <mailto:paulo.coimbra at owasp.org>
>>> paulo.coimbra at owasp.org>
>>>  Subject:  Project status: Use of Web Application Firewalls
>>>  
>>>  Hi Paulo,
>>>  
>>>  it's been a while since we meat in Lisboa, hope you're well.
>>>  IIRC, you and Sandra wanted to visit München, I'm still waiting here ;-)
>>>  
>>>  ---
>>>  Back to OWASP.
>>>  
>>>  In  <https://owasp.org/index.php/Projects>
>>> https://owasp.org/index.php/Projects we see that our documenation project
>>>  Category:OWASP Best Practices: Use of Web Application Firewalls
>>>   
>>> <https://owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Appli
>>> c> 
>>> https://owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Applic
>>>  ation_Firewalls
>>>  
>>>  
>>>  is marked as alpha status.
>>>  As this is a documentation / paper only, I think it could be qualified
>>>  stable.
>>>  
>>>  What do we need to do to make it stable?
>>>  
>>>  We also like to add the jumping page
>>>   <https://owasp.org/index.php/Best_Practices:_Web_Application_Firewalls>
>>> https://owasp.org/index.php/Best_Practices:_Web_Application_Firewalls
>>>  
>>>  to the OWASP Projetcs page. Is that possible.
>>>  
>>>  Would be nice if you can give me some answers.
>>>  
>>>  Ciao,
>>>  Achim
>> 
>> 
>> 
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20110831/1f1252f0/attachment-0002.html>


More information about the Owasp-board mailing list