[Owasp-leaders] FW: REQUESTFOR DECISION/CALL FOR CONTRIBUTIONS TO UPDATE THE ASSESSMENTCRITERIA

Paulo Coimbra paulo.coimbra at owasp.org
Fri Mar 6 08:05:46 EST 2009


From: Boberski, Michael [USA] [mailto:boberski_michael at bah.com] 
Sent: quinta-feira, 5 de Março de 2009 16:04
To: paulo.coimbra at owasp.org
Subject: RE: [Global_tools_and_project_committee] [Owasp-board] FW:
REQUESTFOR DECISION/CALL FOR CONTRIBUTIONS TO UPDATE THE ASSESSMENTCRITERIA

 

Paulo, I'm not subscribed to leaders using my Booz Allen email, and thus
can't send to the list at the moment.

 

Please feel free to forward my email, if you think it would be productive to
trigger a discussion.

 

Best,

 

Mike B.

 

 

  _____  

From: paulo coimbra [mailto:pcoimbra at owasp.org] On Behalf Of Paulo Coimbra
Sent: Thursday, March 05, 2009 11:02 AM
To: Boberski, Michael [USA]; 'Dave Wichers'; 'OWASP Foundation Board List';
global_tools_and_project_committee at lists.owasp.org
Subject: RE: [Global_tools_and_project_committee] [Owasp-board] FW:
REQUESTFOR DECISION/CALL FOR CONTRIBUTIONS TO UPDATE THE ASSESSMENTCRITERIA

Mike,

 

I thank your thoughts and, if I may, to trigger and open up the discussion,
I suggest sending your email to the leaders’ mailing list.

 

Regards,

 

Paulo Coimbra,

 <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager

 

From: Boberski, Michael [USA] [mailto:boberski_michael at bah.com] 
Sent: quinta-feira, 5 de Março de 2009 13:29
To: Dave Wichers; paulo.coimbra at owasp.org; OWASP Foundation Board List;
global_tools_and_project_committee at lists.owasp.org
Subject: RE: [Global_tools_and_project_committee] [Owasp-board] FW:
REQUESTFOR DECISION/CALL FOR CONTRIBUTIONS TO UPDATE THE ASSESSMENTCRITERIA

 

Team, OWASP is getting overly bureaucratic, it seems to me. 

 

I'd rather see people putting time/energy into tightening up their project
pages, tools, and project presentations/datasheets. An example are PHP and
.NET ESAPI, there's no published mapping of Java ESAPI to PHP/ESAPI, that
also should then identify which interfaces are being targeted for which
releases. I'm going to try to work with Andrew to fix that problem for PHP
since I may have a need for a PHP ESAPI for a customer engagement, but it's
still a good example. 

 

The more complete and professional a page/doc/tool looks, the easier it is
to identify the status and content of a doc/tool, the easier is to figure
out its usefulness and to promote its adoption. That a doc/tool has correct
content or works is taken as a given, that is completely secondary to the
initial figuring out if a doc/tool is a potential solution to one's problem
of the day.

 

I would also caution against downgrading projects, which is what one of the
comments seems to imply could happen. If you must address some perceived
contention over project assessment criteria, you should simply put dates
against ratings, and identify the criteria version that a project was
assessed against, then leave that rating alone as the criteria continues to
evolve over time. That is what more well-established and formal testing
programs for instance like Common Criteria and FIPS 140 do. I hope I am
misreading comments on this point however.

 

Best,

 

Mike B.

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090306/9582bcfa/attachment-0001.html 


More information about the OWASP-Leaders mailing list