[Owasp-leaders] FW: REQUESTFOR DECISION/CALL FOR CONTRIBUTIONS TO UPDATE THE ASSESSMENTCRITERIA
mtesauro at gmail.com
Sat Mar 7 23:25:14 EST 2009
Mike Boberski wrote:
> The only way to eat an elephant is one bite at a time.
> Let us start with the first bite.
> Re: "Please note that not all the projects below have been evaluated
> under this criteria and might be re-classified once that process is
> completed" which is now on each tab of the projects page. We need to
> discuss this!
> Overturning verdicts/assessments does not provide consumers in any
> context with confidence that the rating organization has its stuff
> together or that its ratings mean anything. It is also completely
> demoralizing to contributors.
> I wrote earlier:
> > should simply put dates against ratings, and identify the criteria
> > version that a project was assessed against, then leave that rating
> > alone as the criteria continues to evolve over time. That is what
> > more well-established and formal testing programs for instance like
> > Common Criteria and FIPS 140 do.
> I propose the following actions:
> 1. Delete "Please note that not all the projects below have been
> evaluated under this criteria and might be re-classified once that
> process is completed" from the tabs on the projects page.
I agree with this. I'd rather have to clear up and answer specific
questions then globally spread doubt. Hell, its a wiki so why not make
the change, its all versioned anyway..
> 2. Append to each project's short description on the projects page
> "(Assessment Criteria <version>)". Going with version only instead of
> version and date will simplify matters.
I also like this as it both shows per project where they are and also
(by its lack) would show projects that pre-date the criteria. This is
useful information to both internal and external audiences.
> 3. (Optional step) On each project's project page, wherever it currently
> identifies its release status at the top of the page, append
> "(Assessment Criteria <version>)"
I also think this is a stellar idea.
> I am assuming you're maintaining version control for project assessment
> criteria. If not the time is now. Mark the current criteria v1.0, make
> sure it's saved off and made accessible on the site somewhere, and
> assign versions when new versions are released as time goes on.
I haven't heard an explicit version number used - most frequently it is
spoken about with the SoC as its context.
Since the one used for 2008 SoC is the first assessment criteria, v1.0
makes sense to me.
> If there has been no criteria versioning to date, or if you can tell me
> the current version, I will go an update all listings on the projects
> page, then you guys/whomever if you want to perform optional step (3)
> above, can email project leads and ask them to update their project page
> to match.
Again, v1.0 makes the most sense for the criteria version number. Paulo
will hopefully chime in if I'm incorrect in my thinking.
> If there's agreement, let me know what criteria version to put, and I'll
> take care of updating the projects page listings. Then we can move onto
> the next bite.
If you don't get an explicit request to NOT do this by the time you wake
up on Tuesday, March 10th (whatever the timezone), then consider
agreement to be reached. I've CC'ed the Global Project Committee in
case they disagree with this.
-- Matt Tesauro
OWASP Live CD Project Lead
http://mtesauro.com/livecd/ - Documentation Wiki
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
More information about the OWASP-Leaders