[Owasp-common-numbering] Fwd: Project Status?

Colin Watson colin.watson at owasp.org
Thu Oct 16 16:54:24 UTC 2014


Sent to Richard and Rick with 2 attachments.

Colin


---------- Forwarded message ----------
From: Colin Watson <colin.watson at owasp.org>
Date: 16 October 2014 17:53
Subject: Re: [Owasp-common-numbering] Project Status?
To: Richard Quinn <richard.quinn at owasp.org>
Cc: rick.mitchell at bell.ca


Richard

Some history at:

  http://lists.owasp.org/pipermail/owasp-common-numbering/2013-June/000007.html

Also see attached old thoughts.

Also Cornucopia (card game) has some cross-referencing between Secure
Coding Practices, AppSensor, ASVS and CAPEC. Latest XML version
attached. The XML structure isn't meant to be well thought out! Just a
draft really.

I emailed you direct in case the attachments disappear. I will forward
the message without the attachments to the list too.

Colin



On 16 October 2014 17:14, Richard Quinn <richard.quinn at owasp.org> wrote:
> Hi Rick,
>
> Thanks, I see why the time demands can be huge: the scope is huge!
>
> I was considering creating an RDF/OWL ontology mapping various OWASP classes
> (weakness, vulnerability, control, mitigation) and various objects (CWE
> entries, OWASP top 10, CAPEC entries, ASVS elements, cheat sheets). The
> ontology itself contains the knowledge, enriching it with a numbering scheme
> would be simple. Adding URIs to the various entries would be trivial if
> laborious.
>
> I think this would add value (at least to me). If it gains adoption by other
> OWASP projects then there is no harm in that. Making adoption the goal is, I
> think, the element which adds huge time requirements. Was that your
> experience?
>
> -Richard
>
>
>
> On Thu, Oct 16, 2014 at 1:29 PM, Mitchell, Rick (6030318)
> <rick.mitchell at bell.ca> wrote:
>>
>> Hi Richard, I think there have been a few contributing factors.
>>
>>
>>
>> 1)      Coming up with a unified solution across OWASP deliverables is
>> REALLY non-trivial, especially given that various projects have different
>> perspectives (builders, breakers, defenders).
>>
>> 2)      Lots of good ideas but no consensus.
>>
>> 3)      Time.
>>
>> 4)      Time.
>>
>> 5)      Time. Really getting this done in a reasonable/useful manner could
>> represent a full time job for someone for 6mo to a year.
>>
>>
>>
>> If someone wants to revive this I’d be glad to provide some input.
>>
>>
>>
>> Rick
>>
>>
>>
>> From: owasp-common-numbering-bounces at lists.owasp.org
>> [mailto:owasp-common-numbering-bounces at lists.owasp.org] On Behalf Of Richard
>> Quinn
>> Sent: Thursday, October 16, 2014 5:54 AM
>> To: owasp-common-numbering at lists.owasp.org
>> Subject: [Owasp-common-numbering] Project Status?
>>
>>
>>
>> Hi All,
>>
>>
>>
>> It appears that this project is inactive, am I wrong?
>>
>>
>>
>> That would be a shame. Why did it become inactive?
>>
>>
>>
>> There is a definite need to unify the numbering of security controls
>> (referred to as requirements in the OCR project) and to map these to
>> vulnerabilities (such as those enumerated the top 10), verification
>> activities (as enumerated in ASVS), mitigation strategies (as enumerated in
>> the cheat sheets) and to external references such as CWE, SafeCode and WASC.
>>
>>
>>
>> There is also a definite need to revive the Data Exchange Format program,
>> and integrate OCR and DEF.
>>
>>
>>
>> In short, I would like to help.
>>
>>
>>
>> -R
>
>
>
> _______________________________________________
> Owasp-common-numbering mailing list
> Owasp-common-numbering at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-common-numbering
>


More information about the Owasp-common-numbering mailing list