[Owasp-leaders] RFC: OWASP COMMERCIAL SERVICES REGISTRY
Boberski, Michael [USA]
boberski_michael at bah.com
Mon Apr 26 08:21:45 EDT 2010
is this simply
(1) a bulletin board where owasp do not assess the individual listed organisations, if so this will take significant effort to police.
[Mike] No, it would be configured like the "Jobs" page. I would be the one making updates as the project lead in response to email queries/requests. Presumably Kate and so on would also have access for administrative purposes.
(2) a list of recognised/proven orgs who actually provide OWASP related services
[Mike] It will be a list of vendors who claim they provide services based on OWASP deliverables.
If (2); an approval criterion needs to be established, there are a number of reasons for this; one being governance and openness but also to prevent misuse of this opportunity by organisations.
[Mike] Check out the requirements that preface each table on each tab.
if (2) i believe we need to establish an approval board, committee to assess orgs who wish to add themselves to the registry. I dont believe one individual can make this decision?
[Mike] Orgs won't add themselves, as noted above. The basis for accepting/rejecting listings will be based on the requirements that preface each table on each tab. E.g. the requirement "approach to performing verifications" would be passed/failed when a request is submitted to be listed depending on whether an approach was provided, not the quality or content of the approach. E.g. if a company has SQL injection sniffing dogs and that's how they do verification, good enough.
if (1) we need a strong disclaimer on the pages but either option will need control to prevent spam etc.
[Mike] Orgs won't add themselves, as noted above.
Once organisations get onto the registry how long can they stay on it, ad infinitum?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders