I agree with Sebastien, the first focus is to create a framework with the 'People Process & Technology' required to make it happen (this applies to ASVS project <a href="https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008_Applications#OWASP_Application_Security_Verification_Standard">https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008_Applications#OWASP_Application_Security_Verification_Standard</a> as to others like <a href="https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008_Applications#Online_code_signing_and_integrity_verification_service_for_open_source_community_.28OpenSign_Server.29">https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008_Applications#Online_code_signing_and_integrity_verification_service_for_open_source_community_.28OpenSign_Server.29</a>)<br>
<br>The issue of certification is one that will have to be addressed in the future. When that happens, this 'certification world' will have to be created in harmony with the other OWASP projects that also point to a certification route.<br>
<br>Actually, on of my favorite side-consequences of these projects is that they will 'force' the creation of a solution for the 'OWASP certification' problem.<br><br>But, one problem at the time.<br><br>First we need to have these standards or services working using OWASP's projects as the test targets.<br>
<br>Remember that there is very healthy demand on the industry for these type of certification, so I am not really worry about the next phases, since when we hit on a 'working model' the momentum will appear.<br><br>
Dinis<br><br><br><br><div class="gmail_quote">On Sun, Jun 1, 2008 at 10:57 AM, Sebastien Deleersnyder <seba@deleersnyder.eu> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">













<div link="blue" vlink="purple" lang="NL">

<div>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">Pierre, Mike (e-mail?),</span></font></p><div class="Ih2E3d">

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB"> </span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">>Still a project specific question: Mike proposes
in the ASVS project to </span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">>have an 'Owasp certificate', that would be issued
by the Owasp (without </span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">>guarantee) against a fee. Is this compatible with
the Owasp status ? and </span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">>with Owasp available man power ?</span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB"> </span></font></p>

</div><p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">I think it is too early for this project to consider 'owasp
certifications'.</span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB"> </span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">I understand you first goal is to set out a standard
framework? It is a big leap to go to certification from there.</span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB"> </span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">For me it does not make sense to have the same
organisation layout standards and 'certifying' subjects
(people/organisations?) against this standard (based on what criteria?)</span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB"> </span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">Regards</span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB"> </span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">Seba</span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB"> </span></font></p>

<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;"> </span></font></p>

<p><font color="navy" face="Arial" size="2"><span style="font-size: 10pt; font-family: Arial; color: navy;"> </span></font></p>

<div>

<div style="text-align: center;" align="center"><font face="Times New Roman" size="3"><span style="font-size: 12pt;" lang="EN-US">

<hr align="center" size="2" width="100%">

</span></font></div>

<p><b><font face="Tahoma" size="2"><span style="font-size: 10pt; font-family: Tahoma; font-weight: bold;" lang="EN-US">From:</span></font></b><font face="Tahoma" size="2"><span style="font-size: 10pt; font-family: Tahoma;" lang="EN-US">
<a href="mailto:owasp-board-bounces@lists.owasp.org" target="_blank">owasp-board-bounces@lists.owasp.org</a>
[mailto:<a href="mailto:owasp-board-bounces@lists.owasp.org" target="_blank">owasp-board-bounces@lists.owasp.org</a>] <b><span style="font-weight: bold;">On
Behalf Of </span></b>Paulo Coimbra<br>
<b><span style="font-weight: bold;">Sent:</span></b> vrijdag 30 mei 2008 17:05<br>
<b><span style="font-weight: bold;">To:</span></b> 'Pierre Parrend'<br>
<b><span style="font-weight: bold;">Cc:</span></b> 'OWASP Foundation Board List'<br>
<b><span style="font-weight: bold;">Subject:</span></b> [Owasp-board] OWASP BOARD
- REQUEST FOR COMMENTS/RE: Call for OWASPSummer of Code's 2008 reviewers</span></font><span lang="EN-US"></span></p>

</div><div><div></div><div class="Wj3C7c">

<p><font face="Times New Roman" size="3"><span style="font-size: 12pt;"> </span></font></p>

<p style="text-align: justify;"><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">Pierre</span></font><span lang="EN-GB">,</span></p>

<p style="text-align: justify;"><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB"> </span></font></p>

<p style="text-align: justify;"><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">I hope you are
well.</span></font></p>

<p style="text-align: justify;"><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB"> </span></font></p>

<p style="text-align: justify;"><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">I am glad to hear
that you are already working with Mike Boberski. WRT the Board confirmation, I
will get back to you soon with more information and details </span></font></p>

<p style="text-align: justify;"><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB"> </span></font></p>

<p style="text-align: justify;"><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">Regarding the Phil
Potisk & Richard Conway's project, as you know, I have asked them to
confirm you as Second Reviewer but I am still waiting for answer. I'll
keep you updated.</span></font></p>

<p style="text-align: justify;"><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB"> </span></font></p>

<p style="text-align: justify;"><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">Concerning the
reviewer role, I confirm your point of view. </span></font></p>

<p style="text-align: justify;"><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB"> </span></font></p>

<p style="text-align: justify;"><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">Additionally, on
the one hand and on the top of what was said in the first email about this
issue (Subject: Call for OWASP Summer of Code's 2008 reviewers), I would
say that is preferable to keep a clear distinction between
author(s)/contributors and reviewers. I believe that clear and distinctive
roles create the scientific/technical conditions to have final improved
deliveries. However, to me, to be a reviewer means, at least, to point out
scientific/technical and methodological mistakes, to propose paths to follow,
to propose tools and documentation/bibliography to be studied and consulted.</span></font></p>

<p style="text-align: justify;"><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB"> </span></font></p>

<p style="text-align: justify;"><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">On the other hand,
we don't want to </span></font><span lang="EN-US">over define everything -
keeping in mind that </span><span lang="EN-GB">our proposed main goal is to
deliver the best results possible within the given timetable, w</span><span lang="EN-US">e encourage teamwork</span><span lang="EN-GB">. Still, we will always
be here if you find advantage in consulting us for anything you think we can
help with.</span></p>

<p style="text-align: justify;"><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB"> </span></font></p>

<p style="text-align: justify;"><b><font face="Arial" size="2"><span style="font-size: 10pt; font-weight: bold;" lang="EN-GB">With
respect to the 'project specific question', I am redirecting you to
OWASP Board. I am sure that your question will be answered as soon as possible.
</span></font></b></p>

<p style="text-align: justify;"><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB"> </span></font></p>

<p style="text-align: justify;"><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">Keep up with the
good work. Thank you. </span></font></p>

<p style="text-align: justify;"><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB"> </span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">Paulo Coimbra</span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">OWASP Project Manager</span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB"> </span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB"> </span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB"> </span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-US">-----Original Message-----<br>
From: Pierre Parrend [mailto:<a href="mailto:pierre.parrend@insa-lyon.fr" target="_blank">pierre.parrend@insa-lyon.fr</a>] <br>
Sent: 26 May 2008 20:46<br>
To: Paulo Coimbra<br>
Subject: Re: Call for OWASP Summer of Code's 2008 reviewers</span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB"> </span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">Dear Paulo,</span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB"> </span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB"> I have begun working with Mike Boberski for the
review of the ASVS </span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">project. I have read I thus need official agreement
from the owasp, how </span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">is it processed ?</span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB"> </span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">I also have a couple of questions:</span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB"> </span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">- I also would be interested in reviewing the online
code signing </span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">project. Is there still some need for reviewer ? can
you please confirm </span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">me the mail of the project leaders ? I think it to be </span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB"><a href="mailto:techierebel@yahoo.co.uk" target="_blank">techierebel@yahoo.co.uk</a></span></font><span lang="EN-GB">, but would like to be sure before spamming,</span></p>


<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB"> </span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">- is the expected role of reviewer detailed somewhere
? The obvious part </span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">is the 50%/100% assessment. I assume that regular
feedback on the </span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">project, and maybe additional input can be of great
help to improve the </span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">quality of the documentation. Can you just confirm me
that this is in </span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">the frame of the Owasp reviews ?</span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB"> </span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">Still a project specific question: Mike proposes in
the ASVS project to </span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">have an 'Owasp certificate', that would be issued by
the Owasp (without </span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">guarantee) against a fee. Is this compatible with the
Owasp status ? and </span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">with Owasp available man power ?</span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB"> </span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">thanks for this information,</span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB"> </span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">cheers,</span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB"> </span></font></p>

<p><font face="Arial" size="2"><span style="font-size: 10pt;" lang="EN-GB">Pierre</span></font><span lang="EN-GB"></span></p>

</div></div></div>

</div>


<p><font face="Arial" size="2">No virus found in this incoming message.<br>
Checked by AVG.<br>
Version: 8.0.100 / Virus Database: 269.24.4/1474 - Release Date: 30/05/2008 7:44<br>
</font></p>

<p><font face="Arial" size="2"> </font> </p><br>_______________________________________________<br>
Owasp-board mailing list<br>
<a href="mailto:Owasp-board@lists.owasp.org">Owasp-board@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-board" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a><br>
<br></blockquote></div><br>