[Owasp-common-numbering] Universal OWASP numbering scheme

Colin Watson colin.watson at owasp.org
Mon Jul 30 19:44:41 UTC 2012


Andrew

Actually something else occurred to me after sending this email. It is
possible the over-arching OCR list contains items that do not exists
in any of the guides, even the development guide. Perhaps items that
relates to SDLC phases pre and post implementation for example. I'm
not sure we need to think exactly what those are now, but we do need
to allow for the possibility, and therefore I think the Development
Guide, and the other guides, should each have their own numbering,
albeit with a consistent format/pattern.

I'm open for being convinced otherwise!

Colin

On 30 July 2012 12:32, Colin Watson <colin.watson at owasp.org> wrote:
> Andrew (Matteo and OCN mailing list copied)
>
> I provided some feedback on the draft AUTH section for a common
> numbering scheme and attach my document to this email.
>
> To summarise, amongst other things I think the OCR should not
> necessarily be the codes used in each/any guide. While the development
> guide might well be closest to a list of Common Requirements, it may
> not necessarily be fully structured that way, and something like the
> Testing Guide will be structured in another way. So the OCR would be a
> separate flat list with relationships between the items, and mappings
> to IDs in each of the guides. Mappings could also be created to CWEs,
> CAPEC, etc.
>
> A separation between the OCR and any/all guides also means it is
> possible to update/extend one without changing the other.
>
> Thus I don't think the Development Guide ought to be the OCR, and also
> it needn't wait for an OCR to be defined. Having an agreed pattern for
> guide item numbering (like what's already in the Testing Guide) is
> needed though.
>
> Colin
>
> On 24 July 2012 15:50, Eoin Keary <eoin.keary at owasp.org> wrote:
>> previous work is here:
>>
>> https://www.owasp.org/index.php/OWASP_Common_Numbering_Project#tab=OWASP_Common_Requirements_Numbering_Scheme
>>
>>
>> I have included Colin Watson also he did up some documents in relation to
>> this also, If I remember correctly.
>>
>>
>>
>> On Tue, Jul 24, 2012 at 3:40 PM, Dave Wichers
>> <dave.wichers at aspectsecurity.com> wrote:
>>>
>>> Related to that is this mapping between the ASVS and Keith’s Secure Coding
>>> Guide from around March 2011. This might help you identify requirements that
>>> need to be included in the common numbering scheme.
>>>
>>>
>>>
>>> -Dave
>>>
>>>
>>>
>>> From: mtesauro at gmail.com [mailto:mtesauro at gmail.com] On Behalf Of Matt
>>> Tesauro
>>> Sent: Tuesday, July 24, 2012 10:31 AM
>>> To: vanderaj vanderaj
>>> Cc: Dave Wichers; Jim Manico; Eoin Keary; Abraham Kang; Keith Turpin
>>> Subject: Re: Universal OWASP numbering scheme
>>>
>>>
>>>
>>> Andrew,
>>>
>>>
>>>
>>> You might want to ping Keith Turpin on this as well (CC'ed).  He was
>>> actively involved in the common numbering scheme when it started.  He's the
>>> project lead for the Secure Coding Practices QRG:
>>>
>>>
>>> https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide
>>>
>>>
>>>
>>> Best of luck.  It great to see this effort get some focus.  Thanks for
>>> picking it up and running with it.
>>>
>>>
>>> --
>>> -- Matt Tesauro
>>> OWASP Board Member
>>> OWASP WTE Project Lead
>>> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>>> http://AppSecLive.org - Community and Download site
>>>
>>> On Tue, Jul 24, 2012 at 3:38 AM, vanderaj vanderaj <vanderaj at owasp.org>
>>> wrote:
>>>
>>> Hi folks,
>>>
>>>
>>>
>>> It's time. I'm going to create a universal numbering scheme for all of the
>>> Guides. I need it for the OWASP Developer Guide 2013, and hopefully it will
>>> be useful for your guides / projects too. The titles will be getting a
>>> positive spin, because that works for the majority of the consumers of the
>>> universal numbering scheme.
>>>
>>>
>>>
>>> I'm starting with Dave Wicher's first start of a universal scheme as
>>> that's as good a place as any.
>>>
>>>
>>>
>>> I will back fill using any numbering I find on your projects, and try to
>>> work in blanks from the ASVS. The rest will come from the current OWASP
>>> Developer Guide 2013 ToC.
>>>
>>>
>>>
>>> I'd like really good and robust feedback once it's done as I want to use
>>> it with the next status update for the OWASP Developer Guide 2013.
>>>
>>>
>>>
>>> Is there anyone who *needs* to be involved at this stage that I have not
>>> included or violently disagrees with the positive spin?
>>>
>>>
>>>
>>> thanks,
>>> Andrew
>>>
>>>
>>
>>
>>
>>
>> --
>> Global Board Member (Vice Chair)
>>


More information about the Owasp-common-numbering mailing list