[Owasp-iso17799] component deliverables
rich67dev at hotmail.com
Fri Oct 10 21:39:48 EDT 2003
Sounds good - send over the docs for my review.
I have read all SANS docs as of today, and think we can do much better in
terms of what actually (technically) needs to occur in creating a web
application security standard that meets the generalties of an ISO 17799
As of ISO 2000, PDCA has been adopted (Plan Do Check Act), which comes from
Demming style quality. This is impacting all ISO, and of course is in
17799 and BS section 2 from what I can tell. I see an opportunity to apply
not only the generalities of 7799, but even more so, PDCA to
developing,deploying and maintaing secure web environments. Of particular
interest is metrics and the measurement of improvement. In my writing, I
will try to show how PDCA will impact the whole concept of secure web
application design and development.
In terms of what I would like to take a first shot at, I willl take
'Operation Issues'. Its something I have been dealing with on my current
project. I will create an outline that expands on what Mark has already put
in, and then I will get that to you both to review. Any recommended reading
on this area Mark (or Sam)?
rich67dev at hotmail.com
>From: "Mark Curphey" <mark at curphey.com>
>To: "'Rich Seiersen'"
><rich67dev at hotmail.com>,<samheinrich at hotmail.com>,<owasp-iso17799 at lists.sourceforge.net>
>Subject: RE: [Owasp-iso17799] component deliverables
>Date: Fri, 10 Oct 2003 20:49:58 -0400
>I think everything's a learning experience and there is always someone who
>knows more than me at everything I do so we are in the same boat there.
>I will send you guys a zip files of a set of polices offline from the list.
>They are copyrighted. They are probably a better set of templates than the
>SANS ones but still I think a little stuffy and maybe bloated.
>I think the proposal set out above is a great one.
>I am going to write my next weeks OWASP columns setting out a policy /
>standards / procedure framework. I wonder if I could get you guys to take a
>look at it and see what you think ? It may also be a starting point of
>of reference for this work.
>I will try and do it tomorrow and send it on.
>Excited to be getting on with this at last.
>From: owasp-iso17799-admin at lists.sourceforge.net
>[mailto:owasp-iso17799-admin at lists.sourceforge.net] On Behalf Of Rich
>Sent: Thursday, October 09, 2003 7:22 PM
>To: samheinrich at hotmail.com; owasp-iso17799 at lists.sourceforge.net
>Sam and Mark,
>I see the steps for myself as such, once we get this down, we can move more
>1. Read the sans docs. This will give us a lower end benchmark, based on
>what mark has said.
>2. Choose sections to work on, perhaps one each to start with.
>3. Create outlines of content to go into sections 4. Have Mark approve ,
>comment , cticize, laugh etc at what we propose 5. Fill in the content for
>the section 6. Step 4 on our results.
>Once we are comforable with the level of detail required, we can take the
>same approach to the other sections. I think we would then be able to set a
>time in the future for a first draft, and then work backwards, would you
>agree? Mark, not to fear, yours is a quick glance and a yea or nay. In
>latter, a pointing in the right direction might be offered.
>Lastly, I am not sure what your background is? For my part, I am not a
>security 'guru' (hate that term btw - but am obliged to use it). So,
>I don't know, I research - which is part of the reason I have an ambition
>do such a project. I spent the past two years doing application
>and network debugging for a network security firm, I learned a lot, but was
>not invovled in pen-testing and a lot of IDS or Vuln Assessement rule
>writting - a bit though. I also have my CISSP, and have a tried and tested
>understanding of things ISO. So, I humbly submit to you that this will be
>learning experience for me. If you can have peace with that - then all is
>well - let read the Sans Docs. Then, let's chose a section to hammer out.
>Thanks for pushing on this Sam...its easy to let the urgent things push out
>the important ones - and for me personally this is of longer terms
>rich67dev at hotmail.com
> >From: "sam heinrich" <samheinrich at hotmail.com>
> >To: owasp-iso17799 at lists.sourceforge.net
> >Subject: [Owasp-iso17799] component deliverables
> >Date: Thu, 09 Oct 2003 20:09:05 +0000
> >Hi guys -
> >Okay, I just lost an email that I don't think made it out to you...
> >Anyway, my main point was that I get the sense that we're all pretty
> >I think whatever deadlines we set should be realistic about our other
> >I think it will be best if we can break the policy template effort into
> >component tasks, set deadlines for these, and each of us take ownership
> >of one or two at a time. I haven't seen it yet, so I'll take a look at
> >what's checked in tonight and see what I come up with. Rich, could you
> >maybe send out a list of what you think would make good baby steps,
> >too? Then we can compare notes and go forward...
> >Thanks - Sam
> >----Original Message Follows----
> >From: "Rich Seiersen" <rich67dev at hotmail.com>
> >To: samheinrich at hotmail.com, mark at curphey.com
> >Subject: RE: [Owasp-iso17799] Activity?
> >Date: Thu, 09 Oct 2003 19:46:45 +0000
> >I just did a release to my main customer - so I too have been head
> >down. I have the template, and am starting to go over it. Deadlines
> >are a fine thing. What are you suggesting specifically.
> >Richard Seiersen
> >rich67dev at hotmail.com
> >>From: "sam heinrich" <samheinrich at hotmail.com>
> >>To: mark at curphey.com, rich67dev at hotmail.com
> >>Subject: RE: [Owasp-iso17799] Activity?
> >>Date: Thu, 09 Oct 2003 19:37:18 +0000
> >>Hi Mark, Rich,
> >>I haven't seen any OWASP-ISO17799 traffic lately - any activity? For
> >>my part, I've been head-down on a project that finished Monday. How
> >>have you been?
> >>If the policy template has been stalled out, what did you two think of
> >>my earlier suggestion to set ourselves some deadlines? Regardless,
> >>Mark, could add me to the OWASP project in Sourceforge so I can jump
> >>back in? I just created an account under "samheinrich"...
> >>-----Original Message-----
> >>From: owasp-iso17799-admin at lists.sourceforge.net
> >>[mailto:owasp-iso17799-admin at lists.sourceforge.net] On Behalf Of sam
> >>Sent: Monday, September 22, 2003 12:54 PM
> >>To: mark at curphey.com; rich67dev at hotmail.com;
> >>owasp-iso17799 at lists.sourceforge.net
> >>Subject: Re: [Owasp-iso17799] Fw: [ISN] ISO17799 Security News
> >>hi guys - glad i wasn't the only one - i was out of town, too, for my
> >>sisters wedding. considering how things get for all of us in our
> >>work/personal lives, should we try spur ourselves on by setting a due
> >>date for a input on the first draft of the policy? - sam
> >>p.s. welcome amol...
> >Instant message during games with MSN Messenger 6.0. Download it now
> >This SF.net email is sponsored by: SF.net Giveback Program.
> >SourceForge.net hosts over 70,000 Open Source Projects.
> >See the people who have HELPED US provide better services:
> >Click here: http://sourceforge.net/supporters.php
> >Owasp-iso17799 mailing list
> >Owasp-iso17799 at lists.sourceforge.net
>Get MSN 8 Dial-up Internet Service FREE for one month. Limited time
>sign up now! http://join.msn.com/?page=dept/dialup
>This SF.net email is sponsored by: SF.net Giveback Program.
>SourceForge.net hosts over 70,000 Open Source Projects.
>See the people who have HELPED US provide better services:
>Click here: http://sourceforge.net/supporters.php
>Owasp-iso17799 mailing list
>Owasp-iso17799 at lists.sourceforge.net
Instant message in style with MSN Messenger 6.0. Download it now FREE!
More information about the Owasp-iso17799