[Owasp-guide] Awaiting further guidance for OWASP-0100 Security Architecture
Boberski, Michael [USA]
boberski_michael at bah.com
Fri Apr 9 11:20:25 EDT 2010
Hi Mike. Emailing the list is the right thing to do to reach out, thanks. I can't stress enough how much I would like people to use the list rather than private correspondence as they work on items in their sections, so that other people can gain insights, can ask questions of each other, and so on, since otherwise "discovering" updates someone else has done elsewhere is not a very efficient way to do things.
Anywho, here is what you need to do next:
Please see email "AUTHOR ACTION REQUIRED -- REVISED OUTLINE (RESEND)" (Mon 4/5/2010 2:32 PM).
Then, for your section, I would expect there to be a question of "Does 'Build or buy' make sense for the title for the first subsection for our section since it's not a control, or should it be called something else", I would expect questions/coordinations/first attempts at worksheets, I would expect recycled snippets from the previous guide to start percolating into the new wiki pages, etc.
The thing with open source (and its source of power) is that YOU have the power to say "f- it, I'm doing it", and then do it yourself. We should have such luck to have problems where people are complaining about Google's wiki page locking mechanism.
Just do it, as the Nike commercials used to say.
There is no "trust but verify" when it comes to application security!
Verify, THEN trust! Read the entire post: Inside Booz Allen<http://hello.bah.com/blogs/index.php/SoftwareAssuranceCoP/2010/04/01/there_is_no_trust_but_verify>, Outside of Booz Allen<http://mikeboberski.blogspot.com/2010/04/there-is-no-trust-but-verify.html>
From: owasp-guide-bounces at lists.owasp.org [mailto:owasp-guide-bounces at lists.owasp.org] On Behalf Of Mike Lewis
Sent: Friday, April 09, 2010 11:01 AM
To: owasp-guide at lists.owasp.org
Subject: [Owasp-guide] Awaiting further guidance for OWASP-0100 Security Architecture
Mylene and all,
I've broken down the Security Architecture section into further chunks, and now I am awaiting further instructions on what to do next.
I know some of you have worked on OWASP projects in the past and a lot of this stuff is intuitively obvious to you, but this is my first one and I need a little more handholding and guidance. As you can see by my work already, though, if you show me what needs to be done, I'll go out and do it a hundred times over. I just need that small push to get going.
Mylene, you're supposed to be leading this section, but I haven't heard one peep from you. I've gotten some cloudy and conflicting guidance from Mike about what to do, but I'm still sort of lost, as he apparently has a master vision for this document, but I'm completely blind as to what it is. I know Charlie and Kevin have taken a stab at some documentation for the section, and I applaud them for their enthusiasm; like them, I want to jump in and crank some material out. However, I think we're all confused about what exactly our roles here are.
I know Mike has a definite vision of how this thing should be set up, based on his comments thus far about how the document should be structured. I believe that he has shared that vision with Mylene, based on his repeated requests for me to coordinate with Mylene. However, that vision has not trickled down to me, which is the source of my frustration on this project.
I respectfully request some additional guidance from anyone who will step up and help show me and guide me and lead me to what exactly I am supposed to be doing.
-- Mike Lewis
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-guide