[Owasp-common-numbering] OWASP Common Numbering Project

Jason Li jason.li at owasp.org
Thu Jul 7 00:20:33 EDT 2011


At the GPC Working Session @ AppSecEU, the GPC set out to identify several
projects that were core to OWASP or had potential strategic value for the
impact on other projects.

One of these projects would be a potential common numbering system that can
be used by *all* OWASP projects.

Such a system would allow us to "tag" projects that help address security
areas/requirements and better organize and visualize our project space for
OWASP consumers.

OWASP Consumers could then easily see projects associated with specific
security requirements. OWASP projects could also reference this system in
their own documentation (as proposed for the Testing Guide, Development
Guide, ASVS, etc).

The GPC would *like* for the OWASP Common Numbering Project to fill this
role for OWASP projects. However, we reviewed the current draft proposal
numbering system and find that it does not quite fit this need for OWASP. I
know that Colin Watson made some comments (see attached) on the system,
which the GPC finds to be both accurate and constructive.

In particular, it does *not* seem to behoove the Common Numbering system to
include an area categorization (e.g. OCR-AUTH-XXX) in the title
specification. Controls/Requirements can very easily cross areas, as
demonstrated in the detailed article Colin wrote.

If the Common Numbering system is meant, as its name implies, to be a common
system for OWASP (and indeed for application security), then it should focus
on that role rather than trying to be an end all, be all resource for
application security controls and requirements. In fact, I can see value in
resurrecting the Common Vulnerability List, which cites the Common Numbering
system like any other OWASP project would and provides more detailed
information about security category, mitigation, etc.

But the GPC is in agreement that to be robust, flexible, and usable
generically by all of our projects, the common numbering system should be as
independent and abstract as possible.

As you may know, the GPC and the Global Conferences Committee is running a
joint initiative at AppSecUSA to populate a track of strategically important
OWASP initiatives and projects. The GPC would very much like the Common
Numbering Project to be part of this track and invite you to submit a talk

However, understand that the OWASP Track program committee will evaluate all
submissions based on content, past performance, and strategic value, so
selection is not guaranteed. Moreover, in its current form, it would almost
certainly *not* be selected, based on the accurate criticisms by Keith and
Colin that the currently proposed system falls short of the intended goal.

I know that you're very busy with other OWASP/work/personal endeavours, but
this project is very strategically important to OWASP. As Common Numbering
project leader, are you able to tend to these concerns?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-common-numbering/attachments/20110707/5c2ba213/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: owasp-numbering-cw.pdf
Type: application/pdf
Size: 971421 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-common-numbering/attachments/20110707/5c2ba213/attachment-0001.pdf 

More information about the Owasp-common-numbering mailing list