[Owasp-leaders] FW: REQUESTFOR DECISION/CALL FOR CONTRIBUTIONS TO UPDATE THE ASSESSMENTCRITERIA

Mike Boberski mike.boberski at cox.net
Sat Mar 7 19:42:20 EST 2009


The only way to eat an elephant is one bite at a time.

Let us start with the first bite.

Re: "Please note that not all the projects below have been evaluated under
this criteria and might be re-classified once that process is completed"
which is now on each tab of the projects page. We need to discuss this!

Overturning verdicts/assessments does not provide consumers in any context
with confidence that the rating organization has its stuff together or that
its ratings mean anything. It is also completely demoralizing to
contributors.

I wrote earlier:

>     should simply put dates against ratings, and identify the criteria
>     version that a project was assessed against, then leave that rating
>     alone as the criteria continues to evolve over time. That is what
>     more well-established and formal testing programs for instance like
>     Common Criteria and FIPS 140 do.

I propose the following actions:

1. Delete "Please note that not all the projects below have been evaluated
under this criteria and might be re-classified once that process is
completed" from the tabs on the projects page.

2. Append to each project's short description on the projects page
"(Assessment Criteria <version>)". Going with version only instead of
version and date will simplify matters.

3. (Optional step) On each project's project page, wherever it currently
identifies its release status at the top of the page, append "(Assessment
Criteria <version>)"

I am assuming you're maintaining version control for project assessment
criteria. If not the time is now. Mark the current criteria v1.0, make sure
it's saved off and made accessible on the site somewhere, and assign
versions when new versions are released as time goes on.

If there has been no criteria versioning to date, or if you can tell me the
current version, I will go an update all listings on the projects page, then
you guys/whomever if you want to perform optional step (3) above, can email
project leads and ask them to update their project page to match.

If there's agreement, let me know what criteria version to put, and I'll
take care of updating the projects page listings. Then we can move onto the
next bite.

Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090307/598b0581/attachment.html 


More information about the OWASP-Leaders mailing list