From samheinrich at hotmail.com Thu Oct 9 16:09:05 2003 From: samheinrich at hotmail.com (sam heinrich) Date: Thu, 09 Oct 2003 20:09:05 +0000 Subject: [Owasp-iso17799] component deliverables Message-ID: Hi guys - Okay, I just lost an email that I don't think made it out to you... Anyway, my main point was that I get the sense that we're all pretty busy. I think whatever deadlines we set should be realistic about our other committments. I think it will be best if we can break the policy template effort into component tasks, set deadlines for these, and each of us take ownership of one or two at a time. I haven't seen it yet, so I'll take a look at what's checked in tonight and see what I come up with. Rich, could you maybe send out a list of what you think would make good baby steps, too? Then we can compare notes and go forward... Thanks - Sam ----Original Message Follows---- From: "Rich Seiersen" To: samheinrich at hotmail.com, mark at curphey.com Subject: RE: [Owasp-iso17799] Activity? Date: Thu, 09 Oct 2003 19:46:45 +0000 I just did a release to my main customer - so I too have been head down. I have the template, and am starting to go over it. Deadlines are a fine thing. What are you suggesting specifically. Richard Seiersen rich67dev at hotmail.com >From: "sam heinrich" >To: mark at curphey.com, rich67dev at hotmail.com >Subject: RE: [Owasp-iso17799] Activity? >Date: Thu, 09 Oct 2003 19:37:18 +0000 > >Hi Mark, Rich, > >I haven't seen any OWASP-ISO17799 traffic lately - any activity? For my >part, I've been head-down on a project that finished Monday. How have you >been? > >If the policy template has been stalled out, what did you two think of my >earlier suggestion to set ourselves some deadlines? Regardless, Mark, >could add me to the OWASP project in Sourceforge so I can jump back in? I >just created an account under "samheinrich"... > >Thanks, >Sam > >-----Original Message----- >From: owasp-iso17799-admin at lists.sourceforge.net >[mailto:owasp-iso17799-admin at lists.sourceforge.net] On Behalf Of sam >heinrich >Sent: Monday, September 22, 2003 12:54 PM >To: mark at curphey.com; rich67dev at hotmail.com; >owasp-iso17799 at lists.sourceforge.net >Subject: Re: [Owasp-iso17799] Fw: [ISN] ISO17799 Security News > > >hi guys - glad i wasn't the only one - i was out of town, too, for my >sisters wedding. considering how things get for all of us in our >work/personal lives, should we try spur ourselves on by setting a due date >for a input on the first draft of the policy? - sam > >p.s. welcome amol... > _________________________________________________________________ Instant message during games with MSN Messenger 6.0. Download it now FREE! http://msnmessenger-download.com From rich67dev at hotmail.com Thu Oct 9 19:22:02 2003 From: rich67dev at hotmail.com (Rich Seiersen) Date: Thu, 09 Oct 2003 23:22:02 +0000 Subject: [Owasp-iso17799] component deliverables Message-ID: Sam and Mark, I see the steps for myself as such, once we get this down, we can move more aggresively: 1. Read the sans docs. This will give us a lower end benchmark, based on what mark has said. 2. Choose sections to work on, perhaps one each to start with. 3. Create outlines of content to go into sections 4. Have Mark approve , comment , cticize, laugh etc at what we propose 5. Fill in the content for the section 6. Step 4 on our results. Once we are comforable with the level of detail required, we can take the same approach to the other sections. I think we would then be able to set a time in the future for a first draft, and then work backwards, would you not agree? Mark, not to fear, yours is a quick glance and a yea or nay. In the latter, a pointing in the right direction might be offered. Lastly, I am not sure what your background is? For my part, I am not a security 'guru' (hate that term btw - but am obliged to use it). So, what I don't know, I research - which is part of the reason I have an ambition to do such a project. I spent the past two years doing application development and network debugging for a network security firm, I learned a lot, but was not invovled in pen-testing and a lot of IDS or Vuln Assessement rule writting - a bit though. I also have my CISSP, and have a tried and tested understanding of things ISO. So, I humbly submit to you that this will be a learning experience for me. If you can have peace with that - then all is well - let read the Sans Docs. Then, let's chose a section to hammer out. Thanks for pushing on this Sam...its easy to let the urgent things push out the important ones - and for me personally this is of longer terms importance. Richard Seiersen rich67dev at hotmail.com >From: "sam heinrich" >To: owasp-iso17799 at lists.sourceforge.net >Subject: [Owasp-iso17799] component deliverables >Date: Thu, 09 Oct 2003 20:09:05 +0000 > >Hi guys - > >Okay, I just lost an email that I don't think made it out to you... >Anyway, my main point was that I get the sense that we're all pretty busy. >I think whatever deadlines we set should be realistic about our other >committments. > >I think it will be best if we can break the policy template effort into >component tasks, set deadlines for these, and each of us take ownership of >one or two at a time. I haven't seen it yet, so I'll take a look at what's >checked in tonight and see what I come up with. Rich, could you maybe send >out a list of what you think would make good baby steps, too? Then we can >compare notes and go forward... > >Thanks - Sam > > >----Original Message Follows---- >From: "Rich Seiersen" >To: samheinrich at hotmail.com, mark at curphey.com >Subject: RE: [Owasp-iso17799] Activity? >Date: Thu, 09 Oct 2003 19:46:45 +0000 > >I just did a release to my main customer - so I too have been head down. I >have the template, and am starting to go over it. Deadlines are a fine >thing. What are you suggesting specifically. > >Richard Seiersen >rich67dev at hotmail.com > > > > >>From: "sam heinrich" >>To: mark at curphey.com, rich67dev at hotmail.com >>Subject: RE: [Owasp-iso17799] Activity? >>Date: Thu, 09 Oct 2003 19:37:18 +0000 >> >>Hi Mark, Rich, >> >>I haven't seen any OWASP-ISO17799 traffic lately - any activity? For my >>part, I've been head-down on a project that finished Monday. How have you >>been? >> >>If the policy template has been stalled out, what did you two think of my >>earlier suggestion to set ourselves some deadlines? Regardless, Mark, >>could add me to the OWASP project in Sourceforge so I can jump back in? I >>just created an account under "samheinrich"... >> >>Thanks, >>Sam >> >>-----Original Message----- >>From: owasp-iso17799-admin at lists.sourceforge.net >>[mailto:owasp-iso17799-admin at lists.sourceforge.net] On Behalf Of sam >>heinrich >>Sent: Monday, September 22, 2003 12:54 PM >>To: mark at curphey.com; rich67dev at hotmail.com; >>owasp-iso17799 at lists.sourceforge.net >>Subject: Re: [Owasp-iso17799] Fw: [ISN] ISO17799 Security News >> >> >>hi guys - glad i wasn't the only one - i was out of town, too, for my >>sisters wedding. considering how things get for all of us in our >>work/personal lives, should we try spur ourselves on by setting a due date >>for a input on the first draft of the policy? - sam >> >>p.s. welcome amol... >> > >_________________________________________________________________ >Instant message during games with MSN Messenger 6.0. Download it now FREE! >http://msnmessenger-download.com > > > >------------------------------------------------------- >This SF.net email is sponsored by: SF.net Giveback Program. >SourceForge.net hosts over 70,000 Open Source Projects. >See the people who have HELPED US provide better services: >Click here: http://sourceforge.net/supporters.php >_______________________________________________ >Owasp-iso17799 mailing list >Owasp-iso17799 at lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/owasp-iso17799 _________________________________________________________________ Get MSN 8 Dial-up Internet Service FREE for one month. Limited time offer-- sign up now! http://join.msn.com/?page=dept/dialup From mark at curphey.com Fri Oct 10 20:49:58 2003 From: mark at curphey.com (Mark Curphey) Date: Fri, 10 Oct 2003 20:49:58 -0400 Subject: [Owasp-iso17799] component deliverables In-Reply-To: Message-ID: Rich, I think everything's a learning experience and there is always someone who knows more than me at everything I do so we are in the same boat there. I will send you guys a zip files of a set of polices offline from the list. They are copyrighted. They are probably a better set of templates than the SANS ones but still I think a little stuffy and maybe bloated. I think the proposal set out above is a great one. I am going to write my next weeks OWASP columns setting out a policy / standards / procedure framework. I wonder if I could get you guys to take a look at it and see what you think ? It may also be a starting point of point of reference for this work. I will try and do it tomorrow and send it on. Excited to be getting on with this at last. Cheers Mark -----Original Message----- From: owasp-iso17799-admin at lists.sourceforge.net [mailto:owasp-iso17799-admin at lists.sourceforge.net] On Behalf Of Rich Seiersen Sent: Thursday, October 09, 2003 7:22 PM To: samheinrich at hotmail.com; owasp-iso17799 at lists.sourceforge.net Sam and Mark, I see the steps for myself as such, once we get this down, we can move more aggresively: 1. Read the sans docs. This will give us a lower end benchmark, based on what mark has said. 2. Choose sections to work on, perhaps one each to start with. 3. Create outlines of content to go into sections 4. Have Mark approve , comment , cticize, laugh etc at what we propose 5. Fill in the content for the section 6. Step 4 on our results. Once we are comforable with the level of detail required, we can take the same approach to the other sections. I think we would then be able to set a time in the future for a first draft, and then work backwards, would you not agree? Mark, not to fear, yours is a quick glance and a yea or nay. In the latter, a pointing in the right direction might be offered. Lastly, I am not sure what your background is? For my part, I am not a security 'guru' (hate that term btw - but am obliged to use it). So, what I don't know, I research - which is part of the reason I have an ambition to do such a project. I spent the past two years doing application development and network debugging for a network security firm, I learned a lot, but was not invovled in pen-testing and a lot of IDS or Vuln Assessement rule writting - a bit though. I also have my CISSP, and have a tried and tested understanding of things ISO. So, I humbly submit to you that this will be a learning experience for me. If you can have peace with that - then all is well - let read the Sans Docs. Then, let's chose a section to hammer out. Thanks for pushing on this Sam...its easy to let the urgent things push out the important ones - and for me personally this is of longer terms importance. Richard Seiersen rich67dev at hotmail.com >From: "sam heinrich" >To: owasp-iso17799 at lists.sourceforge.net >Subject: [Owasp-iso17799] component deliverables >Date: Thu, 09 Oct 2003 20:09:05 +0000 > >Hi guys - > >Okay, I just lost an email that I don't think made it out to you... >Anyway, my main point was that I get the sense that we're all pretty busy. >I think whatever deadlines we set should be realistic about our other >committments. > >I think it will be best if we can break the policy template effort into >component tasks, set deadlines for these, and each of us take ownership >of one or two at a time. I haven't seen it yet, so I'll take a look at >what's checked in tonight and see what I come up with. Rich, could you >maybe send out a list of what you think would make good baby steps, >too? Then we can compare notes and go forward... > >Thanks - Sam > > >----Original Message Follows---- >From: "Rich Seiersen" >To: samheinrich at hotmail.com, mark at curphey.com >Subject: RE: [Owasp-iso17799] Activity? >Date: Thu, 09 Oct 2003 19:46:45 +0000 > >I just did a release to my main customer - so I too have been head >down. I have the template, and am starting to go over it. Deadlines >are a fine thing. What are you suggesting specifically. > >Richard Seiersen >rich67dev at hotmail.com > > > > >>From: "sam heinrich" >>To: mark at curphey.com, rich67dev at hotmail.com >>Subject: RE: [Owasp-iso17799] Activity? >>Date: Thu, 09 Oct 2003 19:37:18 +0000 >> >>Hi Mark, Rich, >> >>I haven't seen any OWASP-ISO17799 traffic lately - any activity? For >>my part, I've been head-down on a project that finished Monday. How >>have you been? >> >>If the policy template has been stalled out, what did you two think of >>my earlier suggestion to set ourselves some deadlines? Regardless, >>Mark, could add me to the OWASP project in Sourceforge so I can jump >>back in? I just created an account under "samheinrich"... >> >>Thanks, >>Sam >> >>-----Original Message----- >>From: owasp-iso17799-admin at lists.sourceforge.net >>[mailto:owasp-iso17799-admin at lists.sourceforge.net] On Behalf Of sam >>heinrich >>Sent: Monday, September 22, 2003 12:54 PM >>To: mark at curphey.com; rich67dev at hotmail.com; >>owasp-iso17799 at lists.sourceforge.net >>Subject: Re: [Owasp-iso17799] Fw: [ISN] ISO17799 Security News >> >> >>hi guys - glad i wasn't the only one - i was out of town, too, for my >>sisters wedding. considering how things get for all of us in our >>work/personal lives, should we try spur ourselves on by setting a due >>date for a input on the first draft of the policy? - sam >> >>p.s. welcome amol... >> > >_________________________________________________________________ >Instant message during games with MSN Messenger 6.0. Download it now FREE! >http://msnmessenger-download.com > > > >------------------------------------------------------- >This SF.net email is sponsored by: SF.net Giveback Program. >SourceForge.net hosts over 70,000 Open Source Projects. >See the people who have HELPED US provide better services: >Click here: http://sourceforge.net/supporters.php >_______________________________________________ >Owasp-iso17799 mailing list >Owasp-iso17799 at lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/owasp-iso17799 _________________________________________________________________ Get MSN 8 Dial-up Internet Service FREE for one month. Limited time offer-- sign up now! http://join.msn.com/?page=dept/dialup ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Owasp-iso17799 mailing list Owasp-iso17799 at lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/owasp-iso17799 From rich67dev at hotmail.com Fri Oct 10 21:39:48 2003 From: rich67dev at hotmail.com (Rich Seiersen) Date: Sat, 11 Oct 2003 01:39:48 +0000 Subject: [Owasp-iso17799] component deliverables Message-ID: Mark, Sounds good - send over the docs for my review. I have read all SANS docs as of today, and think we can do much better in terms of what actually (technically) needs to occur in creating a web application security standard that meets the generalties of an ISO 17799 style audit. As of ISO 2000, PDCA has been adopted (Plan Do Check Act), which comes from Demming style quality. This is impacting all ISO, and of course is in 17799 and BS section 2 from what I can tell. I see an opportunity to apply not only the generalities of 7799, but even more so, PDCA to developing,deploying and maintaing secure web environments. Of particular interest is metrics and the measurement of improvement. In my writing, I will try to show how PDCA will impact the whole concept of secure web application design and development. In terms of what I would like to take a first shot at, I willl take 'Operation Issues'. Its something I have been dealing with on my current project. I will create an outline that expands on what Mark has already put in, and then I will get that to you both to review. Any recommended reading on this area Mark (or Sam)? Richard Seiersen rich67dev at hotmail.com >From: "Mark Curphey" >To: "'Rich Seiersen'" >,, >Subject: RE: [Owasp-iso17799] component deliverables >Date: Fri, 10 Oct 2003 20:49:58 -0400 > >Rich, > >I think everything's a learning experience and there is always someone who >knows more than me at everything I do so we are in the same boat there. > >I will send you guys a zip files of a set of polices offline from the list. >They are copyrighted. They are probably a better set of templates than the >SANS ones but still I think a little stuffy and maybe bloated. > >I think the proposal set out above is a great one. > >I am going to write my next weeks OWASP columns setting out a policy / >standards / procedure framework. I wonder if I could get you guys to take a >look at it and see what you think ? It may also be a starting point of >point >of reference for this work. > >I will try and do it tomorrow and send it on. > >Excited to be getting on with this at last. > >Cheers > >Mark > > >-----Original Message----- >From: owasp-iso17799-admin at lists.sourceforge.net >[mailto:owasp-iso17799-admin at lists.sourceforge.net] On Behalf Of Rich >Seiersen >Sent: Thursday, October 09, 2003 7:22 PM >To: samheinrich at hotmail.com; owasp-iso17799 at lists.sourceforge.net > >Sam and Mark, >I see the steps for myself as such, once we get this down, we can move more >aggresively: >1. Read the sans docs. This will give us a lower end benchmark, based on >what mark has said. >2. Choose sections to work on, perhaps one each to start with. >3. Create outlines of content to go into sections 4. Have Mark approve , >comment , cticize, laugh etc at what we propose 5. Fill in the content for >the section 6. Step 4 on our results. > >Once we are comforable with the level of detail required, we can take the >same approach to the other sections. I think we would then be able to set a >time in the future for a first draft, and then work backwards, would you >not >agree? Mark, not to fear, yours is a quick glance and a yea or nay. In >the >latter, a pointing in the right direction might be offered. > >Lastly, I am not sure what your background is? For my part, I am not a >security 'guru' (hate that term btw - but am obliged to use it). So, >what > >I don't know, I research - which is part of the reason I have an ambition >to >do such a project. I spent the past two years doing application >development >and network debugging for a network security firm, I learned a lot, but was >not invovled in pen-testing and a lot of IDS or Vuln Assessement rule >writting - a bit though. I also have my CISSP, and have a tried and tested >understanding of things ISO. So, I humbly submit to you that this will be >a >learning experience for me. If you can have peace with that - then all is >well - let read the Sans Docs. Then, let's chose a section to hammer out. > >Thanks for pushing on this Sam...its easy to let the urgent things push out >the important ones - and for me personally this is of longer terms >importance. > >Richard Seiersen >rich67dev at hotmail.com > > > > > >From: "sam heinrich" > >To: owasp-iso17799 at lists.sourceforge.net > >Subject: [Owasp-iso17799] component deliverables > >Date: Thu, 09 Oct 2003 20:09:05 +0000 > > > >Hi guys - > > > >Okay, I just lost an email that I don't think made it out to you... > >Anyway, my main point was that I get the sense that we're all pretty >busy. > > >I think whatever deadlines we set should be realistic about our other > >committments. > > > >I think it will be best if we can break the policy template effort into > >component tasks, set deadlines for these, and each of us take ownership > >of one or two at a time. I haven't seen it yet, so I'll take a look at > >what's checked in tonight and see what I come up with. Rich, could you > >maybe send out a list of what you think would make good baby steps, > >too? Then we can compare notes and go forward... > > > >Thanks - Sam > > > > > >----Original Message Follows---- > >From: "Rich Seiersen" > >To: samheinrich at hotmail.com, mark at curphey.com > >Subject: RE: [Owasp-iso17799] Activity? > >Date: Thu, 09 Oct 2003 19:46:45 +0000 > > > >I just did a release to my main customer - so I too have been head > >down. I have the template, and am starting to go over it. Deadlines > >are a fine thing. What are you suggesting specifically. > > > >Richard Seiersen > >rich67dev at hotmail.com > > > > > > > > > >>From: "sam heinrich" > >>To: mark at curphey.com, rich67dev at hotmail.com > >>Subject: RE: [Owasp-iso17799] Activity? > >>Date: Thu, 09 Oct 2003 19:37:18 +0000 > >> > >>Hi Mark, Rich, > >> > >>I haven't seen any OWASP-ISO17799 traffic lately - any activity? For > >>my part, I've been head-down on a project that finished Monday. How > >>have you been? > >> > >>If the policy template has been stalled out, what did you two think of > >>my earlier suggestion to set ourselves some deadlines? Regardless, > >>Mark, could add me to the OWASP project in Sourceforge so I can jump > >>back in? I just created an account under "samheinrich"... > >> > >>Thanks, > >>Sam > >> > >>-----Original Message----- > >>From: owasp-iso17799-admin at lists.sourceforge.net > >>[mailto:owasp-iso17799-admin at lists.sourceforge.net] On Behalf Of sam > >>heinrich > >>Sent: Monday, September 22, 2003 12:54 PM > >>To: mark at curphey.com; rich67dev at hotmail.com; > >>owasp-iso17799 at lists.sourceforge.net > >>Subject: Re: [Owasp-iso17799] Fw: [ISN] ISO17799 Security News > >> > >> > >>hi guys - glad i wasn't the only one - i was out of town, too, for my > >>sisters wedding. considering how things get for all of us in our > >>work/personal lives, should we try spur ourselves on by setting a due > >>date for a input on the first draft of the policy? - sam > >> > >>p.s. welcome amol... > >> > > > >_________________________________________________________________ > >Instant message during games with MSN Messenger 6.0. Download it now >FREE! > > >http://msnmessenger-download.com > > > > > > > >------------------------------------------------------- > >This SF.net email is sponsored by: SF.net Giveback Program. > >SourceForge.net hosts over 70,000 Open Source Projects. > >See the people who have HELPED US provide better services: > >Click here: http://sourceforge.net/supporters.php > >_______________________________________________ > >Owasp-iso17799 mailing list > >Owasp-iso17799 at lists.sourceforge.net > >https://lists.sourceforge.net/lists/listinfo/owasp-iso17799 > >_________________________________________________________________ >Get MSN 8 Dial-up Internet Service FREE for one month. Limited time >offer-- > >sign up now! http://join.msn.com/?page=dept/dialup > > > >------------------------------------------------------- >This SF.net email is sponsored by: SF.net Giveback Program. >SourceForge.net hosts over 70,000 Open Source Projects. >See the people who have HELPED US provide better services: >Click here: http://sourceforge.net/supporters.php >_______________________________________________ >Owasp-iso17799 mailing list >Owasp-iso17799 at lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/owasp-iso17799 > _________________________________________________________________ Instant message in style with MSN Messenger 6.0. Download it now FREE! http://msnmessenger-download.com From rich67dev at hotmail.com Tue Oct 21 14:22:27 2003 From: rich67dev at hotmail.com (Rich Seiersen) Date: Tue, 21 Oct 2003 18:22:27 +0000 Subject: [Owasp-iso17799] Fwd: Delivery Status Notification (Failure) Message-ID: Mark, got a bounce back on your main email? Just wanted to let you know that I am back from a weeks vacation and will have some content to review shortly. Looks like Sam is out for some time. I also just signed up to go to Sans 2003 in New Orleans to do the 7799 track. Regards, Richard Seiersen rich67dev at hotmail.com >From: postmaster at mail.hotmail.com >To: rich67dev at hotmail.com >Subject: Delivery Status Notification (Failure) >Date: Tue, 21 Oct 2003 09:14:55 -0700 > >This is an automatically generated Delivery Status Notification. > >Delivery to the following recipients failed. > > mark at curphey.com > > > _________________________________________________________________ Fretting that your Hotmail account may expire because you forgot to sign in enough? Get Hotmail Extra Storage today! http://join.msn.com/?PAGE=features/es -------------- next part -------------- An embedded message was scrubbed... From: "Rich Seiersen" Subject: Re: [Owasp-iso17799] Re: Current policy doc Date: Tue, 21 Oct 2003 16:13:05 +0000 Size: 1443 Url: http://lists.owasp.org/pipermail/owasp-iso17799/attachments/20031021/dfd74eb9/attachment.mht From mark at curphey.com Wed Oct 22 09:12:08 2003 From: mark at curphey.com (Mark Curphey) Date: Wed, 22 Oct 2003 09:12:08 -0400 Subject: [Owasp-iso17799] Fwd: Delivery Status Notification (Failure) In-Reply-To: Message-ID: Great. I have taken a few weeks off work between jobs so will have some time to do some stuff as well (at last). Great stuff. -----Original Message----- From: owasp-iso17799-admin at lists.sourceforge.net [mailto:owasp-iso17799-admin at lists.sourceforge.net] On Behalf Of Rich Seiersen Sent: Tuesday, October 21, 2003 2:22 PM To: owasp-iso17799 at lists.sourceforge.net Mark, got a bounce back on your main email? Just wanted to let you know that I am back from a weeks vacation and will have some content to review shortly. Looks like Sam is out for some time. I also just signed up to go to Sans 2003 in New Orleans to do the 7799 track. Regards, Richard Seiersen rich67dev at hotmail.com >From: postmaster at mail.hotmail.com >To: rich67dev at hotmail.com >Subject: Delivery Status Notification (Failure) >Date: Tue, 21 Oct 2003 09:14:55 -0700 > >This is an automatically generated Delivery Status Notification. > >Delivery to the following recipients failed. > > mark at curphey.com > > > _________________________________________________________________ Fretting that your Hotmail account may expire because you forgot to sign in enough? Get Hotmail Extra Storage today! http://join.msn.com/?PAGE=features/es