[Owasp-board] Higher Criteria on Starting projects

Matt Tesauro matt.tesauro at owasp.org
Wed Jun 24 19:43:07 UTC 2015


I'm 100% behind that counter point.  There are several items which _could_
and probably should be updated in that doc.

But, when people come up to me and say they need something to give to devs
so they have some guidance on how to develop securely, I tell them to
*_start_* with that doc.  That doc worked perfectly for Boeing at the time
it was written.  I am certain that both time and Boeing have changed since
it was authored.

That said, its a great way for a busy AppSec person to get 80%+ of the work
done.  You're always going to have to adapt things to the _context_ in
which they are used.  Same for OpenSAMM, same for ASVS.  Presumably, the
AppSec employee knows the business and can tailor the SCP-QRG to their
specific case.

This is a huge win for time strapped AppSec pros and I'd hate for them to
reject the document before actually reading it simply because of the "Low
Activity" badge.  Fundamentally, that's my point.

You'd hope that during the tailoring, they'd add bits about the JS
frameworks in use by their employer and anything else specific to their use
case.  We're never going to write the doc that fits all dev shops - WAY to
much diversity there.

While typing that email, I had considered chipping in on giving it an
update but I have too much on my plate getting ready for my new Adjunct
Professor Gig at the CS department at the University of Texas this fall.
Got 90+ college kids to inject with AppSec security clue this fall and I
want to do right by them.

Thanks for keeping me honest, Jim!


-- Matt Tesauro
OWASP WTE Project Lead
http://AppSecLive.org - Community and Download site
OWASP OpenStack Security Project Lead

On Wed, Jun 24, 2015 at 2:24 PM, Jim Manico <jim.manico at owasp.org> wrote:

>  Matt,
> A polite counterpoint. This checklist does not address any of the modern
> javascript frameworks or modern identity methods (saml, oauth, oidc, etc).
> These items are very important for secure coding today.
> I would love to see this checklist undergo a cleanup and update.
> Respectfully,
> Jim
> On 6/22/15 5:55 PM, Matt Tesauro wrote:
> Johanna,
>  Generally speaking, I think the work with Project Review team has been
> stellar and the use of OpenHub is extremely useful.
>  I do think there's a big difference and gap in accuracy between
> "code-ish" projects and documentation projects.  If all docs were written
> in a markup and stored in Git, then we'd be in a better position but that
> is not the usual situation - more like a extreme statistical outlier.
>  The one place I've seen this not work - and I preface this with the fact
> that one specific case does not invalidate the entire process - is the
> Secure Coding Practices Quick Reference Guide [1].
>  This is listed as a "Low Activity Project: on the project page:
> https://www.owasp.org/index.php/Category:OWASP_Project#tab=Project_Inventory
>  However, this project is still VERY useful and I continue to recommend
> its use today.  It was very solid when Boeing donated it to OWASP and
> really hasn't _needed_ activity to remain useful.  While most projects,
> especially coding projects, deteriorate over time and 'get stale', some
> projects like this don't require much care and feeding to remain useful.
>  I worked on the Global Projects Committee (GPC) when it existed and this
> was a problem at that time as well.  Its very hard to find ~the one metric~
> or set of metrics which work well across the diversity of our projects.  We
> created separate criteria for projects vs code and even that really isn't a
> 100% method to categorize projects - there are things which don't fall
> cleanly into either category - like the OWASP WTE - its a collection of
> easy to consume tools and documentation and some automation/code to package
> those things up.  Is that code or a doc?  Who knows.  How about the OWASP
> Legal Project?  Its sort of a doc but not entirely.
>  If I had the magic answer I would have proposed it long ago on the GPC -
> its something you will struggle with.  I just want to make sure that we
> don't inadvertently 'down grade' projects which don't fit the metrics well
> but are still useful.
>  And, I agree 100% that project review is a VERY LABOR INTENSIVE
> process.  Maybe we need to round up some college kids and find a way to
> non-financially reward them for doing some project reviews for the
> Foundation.  That's not a bad pool of pretty smart people who generally
> have some spare time on their hands and are looking for resume/vita
> building activities.
>  Cheers!
>  [1]
> https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide
>  --
> -- Matt Tesauro
> OWASP WTE Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
> OWASP OpenStack Security Project Lead
> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
> On Sun, Jun 21, 2015 at 3:56 PM, johanna curiel curiel <
> <johanna.curiel at owasp.org>johanna.curiel at owasp.org> wrote:
>> Matt
>>  Yes indeed. In 2013 a Project Review team created this criteria( I was
>> one of them)
>> https://docs.google.com/spreadsheets/d/1upIyG0L-P-myUM6EPg0aJmCTDvJrdqaVdnjdNBME9is/edit?usp=sharing
>>  We have been using automated tools for tracking like Openhub and SWAMP,
>> but checking quality of documentation and testing is more labor intensive.
>>  Timo for example, is a developer and has been giving a hand on this, as
>> myself and when we hired a Tester to help us out with project reviews last
>> year.
>>  Still, like mentioned before, is labor intensive. We are looking at
>> ideas to help us automate as possible, but the human component is
>> indispensable so far.
>>  regards
>>  Johanna
>> On Sun, Jun 21, 2015 at 4:37 PM, Matt Konda < <matt.konda at owasp.org>
>> matt.konda at owasp.org> wrote:
>>> Johanna,
>>>  This is cool.  I hadn't seen this view yet.  Do we have a way to
>>> establish maturity of documentation, testing, issue response?
>>>  I am interested to chat more sometime.
>>>  Matt
>>> On Sun, Jun 21, 2015 at 4:13 PM, johanna curiel curiel <
>>> <johanna.curiel at owasp.org>johanna.curiel at owasp.org> wrote:
>>>> Hi MAtt
>>>>  Not sure if you are aware, we are using Openhub to track projects. It
>>>> gives us a quite complete report of the activity level of all the OWASP
>>>> projects using an open repository so we can track then.
>>>> https://www.openhub.net/orgs/OWASP
>>>>  [image: Inline image 1]
>>>>  I try to register them here and keep track. The main issue is empty
>>>> projects but we have reduce significantly the amount of empty projects,
>>>> however, there are some beginning with some lines of code and this is what
>>>> still concern us, because a few pages of text or some lines  of code cannot
>>>> be really consider a 'project'. This is where Timo and other members have
>>>> expressed their concern.
>>>>  I would like to discuss further your ideas on how to improve the
>>>> project platform faster and get more quality project  to certain status
>>>>  regards
>>>>  Johanna
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>  --
> You received this message because you are subscribed to the Google Groups
> "OWASP Projects Task Force" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to projects-task-force+unsubscribe at owasp.org.
> To post to this group, send email to projects-task-force at owasp.org.
> To view this discussion on the web visit
> <https://groups.google.com/a/owasp.org/d/msgid/projects-task-force/CALKUk%2BN3AKS6LcyV9ueK35GFnNmdn01e_kA%2BiiLemyemmxk%3D%2BA%40mail.gmail.com?utm_medium=email&utm_source=footer>
> https://groups.google.com/a/owasp.org/d/msgid/projects-task-force/CALKUk%2BN3AKS6LcyV9ueK35GFnNmdn01e_kA%2BiiLemyemmxk%3D%2BA%40mail.gmail.com
> .
> --
> Jim Manico
> Global Board Member
> OWASP Foundationhttps://www.owasp.org
> Join me at AppSecUSA 2015!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150624/44db1428/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 56989 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150624/44db1428/attachment-0001.png>

More information about the Owasp-board mailing list