[Owasp-leaders] Should OWASP have an Enterprise Architecture?

Mike Boberski mike.boberski at cox.net
Thu Nov 27 10:25:45 EST 2008

Could you clarify what is meant by "architecture" in the notes below. 
For example:
  * Do you mean the design of the components that were developed to create
the application?
  * Do you mean the design of the redistributable forms of the application
components in relation to the components in the IT environment that the
application relies on to function and to talk to?
I'm hoping the answer is "yes" for both. Both need to be considered during
development and during verification over the course of the SDLC. I'm also
hoping that it's implicit in folks' minds that every time the word
"architecture" is mentioned, folks are understanding what is meant is
"security architecture".
Perhaps, the architectural verification requirements of OWASP ASVS may be of
Best regards,


From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Andrew van der
Sent: Thursday, November 27, 2008 12:47 AM
To: Dinis Cruz; David J. Meier
Cc: Owasp leaders
Subject: Re: [Owasp-leaders] Should OWASP have an Enterprise Architecture?

Recently David Meier made contact with me re: Development Guide 3.0 work. I
have tasked him with hopefully working on the architecture chapter for the
Development Guide 3.0. This will be 3000 words of architectural goodness,
which we have discussed as being possibly the basis for an "OWASP
Architecture Guide".  

I think the first step is to get a rough draft of the chapter and see if
that's where everyone's head space is at. Remember, this chapter solves the
Development Guide's issues in the first instance. We can always fine tune or
extend it considerably into its own Guide later to solve other issues or be
more complete. 


On Nov 20, 2008, at 6:32 PM, dinis cruz wrote:

I agree with James that there are parts of OWASP that should have a
technological roadmap and an enterprise architecture (in fact I had a
conversation at the Summit on this exact subject). 

I view this as part of the maturing of OWASP technology and tools. It is not
a show stopper at the moment, but if we keep growing at the current pace, it
will defenitely become an issue in 12 to 18 months

The question is who is going to have a go at it :) 

Dinis  Cruz

2008/11/18 McGovern, James F (HTSC, IT) <James.McGovern at thehartford.com>

I know that OWASP is driven by its members and will go wherever they lead
them, but does that mean that OWASP should not have a roadmap? How does
OWASP move up the maturity ladder? How does OWASP help drive value above and
beyond just creating a loose collection of projects such that they form a
cohesive whole?

Does OWASP need an enterprise architecture? 


This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
information.  If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited.  If you
are not the intended recipient, please notify the sender immediately by
return e-mail, delete this communication and destroy all copies.


OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

Andrew van der Stock
Lead Author, OWASP Guide and OWASP Top 10

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/owasp-leaders/attachments/20081127/bb65862f/attachment-0001.html 

More information about the OWASP-Leaders mailing list