From richard.quinn at owasp.org Thu Oct 16 09:54:21 2014 From: richard.quinn at owasp.org (Richard Quinn) Date: Thu, 16 Oct 2014 11:54:21 +0200 Subject: [Owasp-common-numbering] Project Status? Message-ID: Hi All, It appears that this project is inactive, am I wrong? That would be a shame. Why did it become inactive? There is a definite need to unify the numbering of security controls (referred to as requirements in the OCR project) and to map these to vulnerabilities (such as those enumerated the top 10), verification activities (as enumerated in ASVS), mitigation strategies (as enumerated in the cheat sheets) and to external references such as CWE, SafeCode and WASC. There is also a definite need to revive the Data Exchange Format program, and integrate OCR and DEF. In short, I would like to help. -R -------------- next part -------------- An HTML attachment was scrubbed... URL: From rick.mitchell at bell.ca Thu Oct 16 11:29:27 2014 From: rick.mitchell at bell.ca (Mitchell, Rick (6030318)) Date: Thu, 16 Oct 2014 07:29:27 -0400 Subject: [Owasp-common-numbering] Project Status? In-Reply-To: References: Message-ID: Hi Richard, I think there have been a few contributing factors. 1) Coming up with a unified solution across OWASP deliverables is REALLY non-trivial, especially given that various projects have different perspectives (builders, breakers, defenders). 2) Lots of good ideas but no consensus. 3) Time. 4) Time. 5) Time. Really getting this done in a reasonable/useful manner could represent a full time job for someone for 6mo to a year. If someone wants to revive this I?d be glad to provide some input. Rick From: owasp-common-numbering-bounces at lists.owasp.org [mailto:owasp-common-numbering-bounces at lists.owasp.org] On Behalf Of Richard Quinn Sent: Thursday, October 16, 2014 5:54 AM To: owasp-common-numbering at lists.owasp.org Subject: [Owasp-common-numbering] Project Status? Hi All, It appears that this project is inactive, am I wrong? That would be a shame. Why did it become inactive? There is a definite need to unify the numbering of security controls (referred to as requirements in the OCR project) and to map these to vulnerabilities (such as those enumerated the top 10), verification activities (as enumerated in ASVS), mitigation strategies (as enumerated in the cheat sheets) and to external references such as CWE, SafeCode and WASC. There is also a definite need to revive the Data Exchange Format program, and integrate OCR and DEF. In short, I would like to help. -R -------------- next part -------------- An HTML attachment was scrubbed... URL: From richard.quinn at owasp.org Thu Oct 16 16:14:53 2014 From: richard.quinn at owasp.org (Richard Quinn) Date: Thu, 16 Oct 2014 18:14:53 +0200 Subject: [Owasp-common-numbering] Project Status? In-Reply-To: References: Message-ID: Hi Rick, Thanks, I see why the time demands can be huge: the scope is huge! I was considering creating an RDF/OWL ontology mapping various OWASP classes (weakness, vulnerability, control, mitigation) and various objects (CWE entries, OWASP top 10, CAPEC entries, ASVS elements, cheat sheets). The ontology itself contains the knowledge, enriching it with a numbering scheme would be simple. Adding URIs to the various entries would be trivial if laborious. I think this would add value (at least to me). If it gains adoption by other OWASP projects then there is no harm in that. Making adoption the goal is, I think, the element which adds huge time requirements. Was that your experience? -Richard On Thu, Oct 16, 2014 at 1:29 PM, Mitchell, Rick (6030318) < rick.mitchell at bell.ca> wrote: > Hi Richard, I think there have been a few contributing factors. > > > > 1) Coming up with a unified solution across OWASP deliverables is > REALLY non-trivial, especially given that various projects have different > perspectives (builders, breakers, defenders). > > 2) Lots of good ideas but no consensus. > > 3) Time. > > 4) Time. > > 5) Time. Really getting this done in a reasonable/useful manner > could represent a full time job for someone for 6mo to a year. > > > > If someone wants to revive this I?d be glad to provide some input. > > > > Rick > > > > *From:* owasp-common-numbering-bounces at lists.owasp.org [mailto: > owasp-common-numbering-bounces at lists.owasp.org] *On Behalf Of *Richard > Quinn > *Sent:* Thursday, October 16, 2014 5:54 AM > *To:* owasp-common-numbering at lists.owasp.org > *Subject:* [Owasp-common-numbering] Project Status? > > > > Hi All, > > > > It appears that this project is inactive, am I wrong? > > > > That would be a shame. Why did it become inactive? > > > > There is a definite need to unify the numbering of security controls > (referred to as requirements in the OCR project) and to map these to > vulnerabilities (such as those enumerated the top 10), verification > activities (as enumerated in ASVS), mitigation strategies (as enumerated in > the cheat sheets) and to external references such as CWE, SafeCode and WASC. > > > > There is also a definite need to revive the Data Exchange Format program, > and integrate OCR and DEF. > > > > In short, I would like to help. > > > > -R > -------------- next part -------------- An HTML attachment was scrubbed... URL: From colin.watson at owasp.org Thu Oct 16 16:54:24 2014 From: colin.watson at owasp.org (Colin Watson) Date: Thu, 16 Oct 2014 17:54:24 +0100 Subject: [Owasp-common-numbering] Fwd: Project Status? In-Reply-To: References: Message-ID: Sent to Richard and Rick with 2 attachments. Colin ---------- Forwarded message ---------- From: Colin Watson Date: 16 October 2014 17:53 Subject: Re: [Owasp-common-numbering] Project Status? To: Richard Quinn Cc: rick.mitchell at bell.ca Richard Some history at: http://lists.owasp.org/pipermail/owasp-common-numbering/2013-June/000007.html Also see attached old thoughts. Also Cornucopia (card game) has some cross-referencing between Secure Coding Practices, AppSensor, ASVS and CAPEC. Latest XML version attached. The XML structure isn't meant to be well thought out! Just a draft really. I emailed you direct in case the attachments disappear. I will forward the message without the attachments to the list too. Colin On 16 October 2014 17:14, Richard Quinn wrote: > Hi Rick, > > Thanks, I see why the time demands can be huge: the scope is huge! > > I was considering creating an RDF/OWL ontology mapping various OWASP classes > (weakness, vulnerability, control, mitigation) and various objects (CWE > entries, OWASP top 10, CAPEC entries, ASVS elements, cheat sheets). The > ontology itself contains the knowledge, enriching it with a numbering scheme > would be simple. Adding URIs to the various entries would be trivial if > laborious. > > I think this would add value (at least to me). If it gains adoption by other > OWASP projects then there is no harm in that. Making adoption the goal is, I > think, the element which adds huge time requirements. Was that your > experience? > > -Richard > > > > On Thu, Oct 16, 2014 at 1:29 PM, Mitchell, Rick (6030318) > wrote: >> >> Hi Richard, I think there have been a few contributing factors. >> >> >> >> 1) Coming up with a unified solution across OWASP deliverables is >> REALLY non-trivial, especially given that various projects have different >> perspectives (builders, breakers, defenders). >> >> 2) Lots of good ideas but no consensus. >> >> 3) Time. >> >> 4) Time. >> >> 5) Time. Really getting this done in a reasonable/useful manner could >> represent a full time job for someone for 6mo to a year. >> >> >> >> If someone wants to revive this I?d be glad to provide some input. >> >> >> >> Rick >> >> >> >> From: owasp-common-numbering-bounces at lists.owasp.org >> [mailto:owasp-common-numbering-bounces at lists.owasp.org] On Behalf Of Richard >> Quinn >> Sent: Thursday, October 16, 2014 5:54 AM >> To: owasp-common-numbering at lists.owasp.org >> Subject: [Owasp-common-numbering] Project Status? >> >> >> >> Hi All, >> >> >> >> It appears that this project is inactive, am I wrong? >> >> >> >> That would be a shame. Why did it become inactive? >> >> >> >> There is a definite need to unify the numbering of security controls >> (referred to as requirements in the OCR project) and to map these to >> vulnerabilities (such as those enumerated the top 10), verification >> activities (as enumerated in ASVS), mitigation strategies (as enumerated in >> the cheat sheets) and to external references such as CWE, SafeCode and WASC. >> >> >> >> There is also a definite need to revive the Data Exchange Format program, >> and integrate OCR and DEF. >> >> >> >> In short, I would like to help. >> >> >> >> -R > > > > _______________________________________________ > Owasp-common-numbering mailing list > Owasp-common-numbering at lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-common-numbering >