[Owasp-common-numbering] Universal OWASP numbering scheme

Colin Watson colin.watson at owasp.org
Mon Jul 30 11:32:08 UTC 2012


Andrew (Matteo and OCN mailing list copied)

I provided some feedback on the draft AUTH section for a common
numbering scheme and attach my document to this email.

To summarise, amongst other things I think the OCR should not
necessarily be the codes used in each/any guide. While the development
guide might well be closest to a list of Common Requirements, it may
not necessarily be fully structured that way, and something like the
Testing Guide will be structured in another way. So the OCR would be a
separate flat list with relationships between the items, and mappings
to IDs in each of the guides. Mappings could also be created to CWEs,
CAPEC, etc.

A separation between the OCR and any/all guides also means it is
possible to update/extend one without changing the other.

Thus I don't think the Development Guide ought to be the OCR, and also
it needn't wait for an OCR to be defined. Having an agreed pattern for
guide item numbering (like what's already in the Testing Guide) is
needed though.

Colin

On 24 July 2012 15:50, Eoin Keary <eoin.keary at owasp.org> wrote:
> previous work is here:
>
> https://www.owasp.org/index.php/OWASP_Common_Numbering_Project#tab=OWASP_Common_Requirements_Numbering_Scheme
>
>
> I have included Colin Watson also he did up some documents in relation to
> this also, If I remember correctly.
>
>
>
> On Tue, Jul 24, 2012 at 3:40 PM, Dave Wichers
> <dave.wichers at aspectsecurity.com> wrote:
>>
>> Related to that is this mapping between the ASVS and Keith’s Secure Coding
>> Guide from around March 2011. This might help you identify requirements that
>> need to be included in the common numbering scheme.
>>
>>
>>
>> -Dave
>>
>>
>>
>> From: mtesauro at gmail.com [mailto:mtesauro at gmail.com] On Behalf Of Matt
>> Tesauro
>> Sent: Tuesday, July 24, 2012 10:31 AM
>> To: vanderaj vanderaj
>> Cc: Dave Wichers; Jim Manico; Eoin Keary; Abraham Kang; Keith Turpin
>> Subject: Re: Universal OWASP numbering scheme
>>
>>
>>
>> Andrew,
>>
>>
>>
>> You might want to ping Keith Turpin on this as well (CC'ed).  He was
>> actively involved in the common numbering scheme when it started.  He's the
>> project lead for the Secure Coding Practices QRG:
>>
>>
>> https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide
>>
>>
>>
>> Best of luck.  It great to see this effort get some focus.  Thanks for
>> picking it up and running with it.
>>
>>
>> --
>> -- Matt Tesauro
>> OWASP Board Member
>> OWASP WTE Project Lead
>> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>> http://AppSecLive.org - Community and Download site
>>
>> On Tue, Jul 24, 2012 at 3:38 AM, vanderaj vanderaj <vanderaj at owasp.org>
>> wrote:
>>
>> Hi folks,
>>
>>
>>
>> It's time. I'm going to create a universal numbering scheme for all of the
>> Guides. I need it for the OWASP Developer Guide 2013, and hopefully it will
>> be useful for your guides / projects too. The titles will be getting a
>> positive spin, because that works for the majority of the consumers of the
>> universal numbering scheme.
>>
>>
>>
>> I'm starting with Dave Wicher's first start of a universal scheme as
>> that's as good a place as any.
>>
>>
>>
>> I will back fill using any numbering I find on your projects, and try to
>> work in blanks from the ASVS. The rest will come from the current OWASP
>> Developer Guide 2013 ToC.
>>
>>
>>
>> I'd like really good and robust feedback once it's done as I want to use
>> it with the next status update for the OWASP Developer Guide 2013.
>>
>>
>>
>> Is there anyone who *needs* to be involved at this stage that I have not
>> included or violently disagrees with the positive spin?
>>
>>
>>
>> thanks,
>> Andrew
>>
>>
>
>
>
>
> --
> Global Board Member (Vice Chair)
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: owasp-numbering-cw.pdf
Type: application/pdf
Size: 971421 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-common-numbering/attachments/20120730/7da0dd10/attachment-0001.pdf>


More information about the Owasp-common-numbering mailing list