From moose at enting.se Wed Apr 20 19:34:28 2005 From: moose at enting.se (Ake Nordin) Date: Thu, 21 Apr 2005 01:34:28 +0200 Subject: [Owasp-iso17799] ISO17799 (= *7799-1) vs *7799-2 success stories? Message-ID: <6.2.1.2.2.20050421001602.0379fe78@localhost> Hello, Are there any success stories out there using what I call "*7799-1" (ISO17799 falls in that cathegory) when thigthening web apps? Are there any such stories using the corresponding "*7799-2" ? The reason I ask is because I'm a little bit sceptical towards the "prescriptive" nature of the "*7799-1" standards, compared to the "*7799-2" standards more unbiased and "open question" nature. Maybe I should explain the way I denote the two sets of standards I talk about, explaining my view of them and how they have evolved: ISO17799 stems from the British Standard 7799-1, which originated in the mid to late nineties. It has been adopted by various other standards bodies around the world under various designations (often ending in "7799-1") before ISO ratified it, thus replacing most of the national varieties. It is basically a handbook, more or less stating "do that to achieve this goal" and as such somewhat incongruent to the nature of security being a process rather than a deliverable. The focus of the standards group in Britain that drafted BS7799-1 has moved to it's companion, BS7799-2 (which AFAIK does not yet stand as a candidate for ISO ratification and thus still exists in various translations around the world, designations often ending in "7799-2"). It is basically a checklist, asking "how is this covered", and as such being far better suited to the "security is a process" way of doing things. The most recent issue of BS7799-2 is adapted to "plan-do-check-act" cycles of iterative improvement as well as being restructured somewhat to conform better to the ISO 9k, 14k and the upcoming 26k, as well as he OHSAS 18k standards, in integrated management systems. -- . /Ake Nordin +46704-660199 moose AT enting DOT se Damian Conway: "The programmer is fighting against the two most destructive forces in the universe: entropy and human stupidity." From vanderaj at greebo.net Wed Apr 20 22:58:59 2005 From: vanderaj at greebo.net (Andrew van der Stock) Date: Thu, 21 Apr 2005 12:58:59 +1000 (EST) Subject: [Owasp-iso17799] ISO17799 (= *7799-1) vs *7799-2 success stories? In-Reply-To: <6.2.1.2.2.20050421001602.0379fe78@localhost> References: <6.2.1.2.2.20050421001602.0379fe78@localhost> Message-ID: <51590.203.57.241.67.1114052339.squirrel@webmail5.pair.com> Ake Nordin said: > > Hello, > > Are there any success stories out there using what I call "*7799-1" > (ISO17799 falls in that cathegory) when thigthening web apps? :2 and friends are the ISMS version of the :1 books. The controls described in part 1 are for implementers, and the checks in :2 are for auditors as far as I am concerned. :2 controls are much weaker and I think if you get the average bean counter acting as auditor looking through the systems development section, they will have no clue as to the correct approach. In short, I've used 17799 at a high level to justify account and segregation controls, but generally, I've never used 17799 (or AS/NZS 4444 / BS 7799) for system development controls. Andrew From matteo.meucci at gmail.com Thu Apr 21 10:21:51 2005 From: matteo.meucci at gmail.com (Matteo Meucci) Date: Thu, 21 Apr 2005 16:21:51 +0200 Subject: [Owasp-iso17799] Call for OWASP-ISO17799 Phase II Message-ID: Hi all, inside the Italy Chapter we are debating about the OWASP-ISO17799 project to try to understand the direction of the project. In Italy nearly 6 person are interested to give new life to this project, but we first need to understand exactly the project's goal. I think that if we want to reach a target, it is necessary to give the right direction to this group. What does the owasp-iso17799 group think about that? Do you think is it possible to give a new start to this project? Mat OWASP-Italy Chair www.owasp.org/local/italy.html On 4/13/05, Fabio Dianda wrote: > Ola, > > la scorsa estate ho provato a collaborare al progetto OWASP-ISOBS7799, poi > purtroppo, anche a causa di problemi professionali, non sono riuscito a > dedicare abbastanza tempo e di fatto > mi sono defilato ... La proposta di Matteo di dare nuova linfa a questo > progetto mi ha fatto molto > piacere, ricapitolando: Matteo ha parlato con Stan che sarebbe "lieto" di > "cedere" la leadership del progetto, ma le restanti persone che > collaboravano al progetto cosa ne pensano ? > > Forse la discussione, andrebbe aperta anche a loro, quanto meno dopo che ci > "siamo chiariti" un p? le idee sulle domande che Matteo poneva nella prima > email. > > A mio avviso, OWASP-BS7799 non dovrebbe limitarsi alla stesura di docs > inspirati o "conformi" a BS7799, ma dovrebbe avere, come ulteriore elemento > cardine, la guida (OWASP-GUIDE), insomma non stiamo parlando della stesura > di un DPS, ma di qualcosa di pi? articolato e complesso, che non dovrebbe > "dimenticarsi" di quali sono gli elementi del contesto delle applicazioni > web. > > Ciao, > Fabio Dianda > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real users. > Discover which products truly live up to the hype. Start reading now. > http://ads.osdn.com/?ad_ide95&alloc_id396&opclick > _______________________________________________ > Owasp-Italy mailing list > Owasp-Italy at lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/owasp-italy > From vanderaj at greebo.net Thu Apr 21 10:32:29 2005 From: vanderaj at greebo.net (Andrew van der Stock) Date: Fri, 22 Apr 2005 00:32:29 +1000 Subject: [Owasp-iso17799] Call for OWASP-ISO17799 Phase II In-Reply-To: Message-ID: As nothing has really happened for a long time, I would suggest grabbing the materials on the CVS and using those as a starting point and making the project your own. Personally, organizations like my current customer need ISO 17799 compatible secure coding checklists. Do you have a copy of ISO 17799:2? I'd certainly like something like advice on using OWASP in an ISMS, with an appropriate security lifecycle, but that matches the needs of the criteria project as well. Maybe the two projects could be allied? Andrew On 22/4/05 12:21 AM, "Matteo Meucci" wrote: > Hi all, > inside the Italy Chapter we are debating about the OWASP-ISO17799 > project to try to understand the direction of the project. > In Italy nearly 6 person are interested to give new life to this > project, but we first need to understand exactly the project's goal. > I think that if we want to reach a target, it is necessary to give the > right direction to this group. > What does the owasp-iso17799 group think about that? > Do you think is it possible to give a new start to this project? > > Mat > > OWASP-Italy Chair > www.owasp.org/local/italy.html > > > On 4/13/05, Fabio Dianda wrote: >> Ola, >> >> la scorsa estate ho provato a collaborare al progetto OWASP-ISOBS7799, poi >> purtroppo, anche a causa di problemi professionali, non sono riuscito a >> dedicare abbastanza tempo e di fatto >> mi sono defilato ... La proposta di Matteo di dare nuova linfa a questo >> progetto mi ha fatto molto >> piacere, ricapitolando: Matteo ha parlato con Stan che sarebbe "lieto" di >> "cedere" la leadership del progetto, ma le restanti persone che >> collaboravano al progetto cosa ne pensano ? >> >> Forse la discussione, andrebbe aperta anche a loro, quanto meno dopo che ci >> "siamo chiariti" un p? le idee sulle domande che Matteo poneva nella prima >> email. >> >> A mio avviso, OWASP-BS7799 non dovrebbe limitarsi alla stesura di docs >> inspirati o "conformi" a BS7799, ma dovrebbe avere, come ulteriore elemento >> cardine, la guida (OWASP-GUIDE), insomma non stiamo parlando della stesura >> di un DPS, ma di qualcosa di pi? articolato e complesso, che non dovrebbe >> "dimenticarsi" di quali sono gli elementi del contesto delle applicazioni >> web. >> >> Ciao, >> Fabio Dianda >> >> ------------------------------------------------------- >> SF email is sponsored by - The IT Product Guide >> Read honest & candid reviews on hundreds of IT Products from real users. >> Discover which products truly live up to the hype. Start reading now. >> http://ads.osdn.com/?ad_ide95&alloc_id396&opclick >> _______________________________________________ >> Owasp-Italy mailing list >> Owasp-Italy at lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/owasp-italy >> > > > ------------------------------------------------------- > This SF.Net email is sponsored by: New Crystal Reports XI. > Version 11 adds new functionality designed to reduce time involved in > creating, integrating, and deploying reporting solutions. Free runtime info, > new features, or free trial, at: http://www.businessobjects.com/devxi/728 > _______________________________________________ > Owasp-iso17799 mailing list > Owasp-iso17799 at lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/owasp-iso17799 > From Bruce.Morris at au.ey.com Thu Apr 21 18:08:38 2005 From: Bruce.Morris at au.ey.com (Bruce.Morris at au.ey.com) Date: Fri, 22 Apr 2005 08:08:38 +1000 Subject: [Owasp-iso17799] Call for OWASP-ISO17799 Phase II [Virus checkedAU] In-Reply-To: Message-ID: This email is to be read subject to the disclaimer below. Unfortunately I got dragged away onto other things and haven't checked back in until the last month only to discover that nothing more had happened. Personnally I really don't like the idea of templates that result in a generic view of life - as in my experience it inevitably leads to laziness and no thought being given to the process. I have been doing some thinking about this and have come to the conclusion that what would be useful would be something that, for example, sat across the common criteria which provided a more business/governance oriented view of protection and security targets - for example, a 7799 protection profile, that would then give rise to linking in CC products/solutions, etc. Basically, we could develop a tool like (or base on) the CC toolbox which allows you to build a protection profile which then (using 7799 as a basis) delivers policy and control statements and a risk profile as a result. This would then help orgs to wade through the "better practice standard" in a question answer or point and click type scenario to arrive at a contextually suitable arrangement. In essense the templates already created would form a basis for the question/answer type bits Blah blah blah...etc, etc, etc Cheers Bruce Matteo Meucci Sent by: owasp-iso17799-admin at lists.sourceforge.net 22/04/2005 12:21 AM Please respond to Matteo Meucci All email is logged and may be reviewed - Refer policy FP206 To owasp-iso17799 at lists.sourceforge.net cc owasp-italy at lists.sourceforge.net Subject [Owasp-iso17799] Call for OWASP-ISO17799 Phase II [Virus checkedAU] Hi all, inside the Italy Chapter we are debating about the OWASP-ISO17799 project to try to understand the direction of the project. In Italy nearly 6 person are interested to give new life to this project, but we first need to understand exactly the project's goal. I think that if we want to reach a target, it is necessary to give the right direction to this group. What does the owasp-iso17799 group think about that? Do you think is it possible to give a new start to this project? Mat OWASP-Italy Chair www.owasp.org/local/italy.html On 4/13/05, Fabio Dianda wrote: > Ola, > > la scorsa estate ho provato a collaborare al progetto OWASP-ISOBS7799, poi > purtroppo, anche a causa di problemi professionali, non sono riuscito a > dedicare abbastanza tempo e di fatto > mi sono defilato ... La proposta di Matteo di dare nuova linfa a questo > progetto mi ha fatto molto > piacere, ricapitolando: Matteo ha parlato con Stan che sarebbe "lieto" di > "cedere" la leadership del progetto, ma le restanti persone che > collaboravano al progetto cosa ne pensano ? > > Forse la discussione, andrebbe aperta anche a loro, quanto meno dopo che ci > "siamo chiariti" un p? le idee sulle domande che Matteo poneva nella prima > email. > > A mio avviso, OWASP-BS7799 non dovrebbe limitarsi alla stesura di docs > inspirati o "conformi" a BS7799, ma dovrebbe avere, come ulteriore elemento > cardine, la guida (OWASP-GUIDE), insomma non stiamo parlando della stesura > di un DPS, ma di qualcosa di pi? articolato e complesso, che non dovrebbe > "dimenticarsi" di quali sono gli elementi del contesto delle applicazioni > web. > > Ciao, > Fabio Dianda > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real users. > Discover which products truly live up to the hype. Start reading now. > http://ads.osdn.com/?ad_ide95&alloc_id396&opclick > _______________________________________________ > Owasp-Italy mailing list > Owasp-Italy at lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/owasp-italy > ------------------------------------------------------- This SF.Net email is sponsored by: New Crystal Reports XI. Version 11 adds new functionality designed to reduce time involved in creating, integrating, and deploying reporting solutions. Free runtime info, new features, or free trial, at: http://www.businessobjects.com/devxi/728 _______________________________________________ Owasp-iso17799 mailing list Owasp-iso17799 at lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/owasp-iso17799 -------------------- NOTICE - This communication contains information which is confidential and the copyright of Ernst & Young or a third party. If you are not the intended recipient of this communication please delete and destroy all copies and telephone Ernst & Young on 1800 655 717 immediately. If you are the intended recipient of this communication you should not copy, disclose or distribute this communication without the authority of Ernst & Young. Any views expressed in this Communication are those of the individual sender, except where the sender specifically states them to be the views of Ernst & Young. Except as required at law, Ernst & Young does not represent, warrant and/or guarantee that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference. Liability limited by the Accountants Scheme, approved under the Professional Standards Act 1994 (NSW) -------------------- If this communication is a "commercial electronic message" (as defined in the Spam Act 2003) and you do not wish to receive communications such as this, please forward this communication to unsubscribe at au.ey.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.owasp.org/pipermail/owasp-iso17799/attachments/20050422/0da05159/attachment.html