[Owasp-leaders] RFC: Two proposed next tweaks to the services registry
Boberski, Michael [USA]
boberski_michael at bah.com
Mon May 24 14:53:24 EDT 2010
Hi John. No worries.
[John] Does "listings are currently required to provide information" mean "the list has to include certain information about each provider"?
[Mike] Yes. For example, for "Verification", the following information is needed: "Provider listings are required to include the following information: company name and link to corporate web site, company location and markets served, company area(s) of application technology expertise, ASVS verification levels offered; approach to performing verifications, and contact name and email."
[John] What are "descriptions of approaches"?
[Mike] How one would go about performing e.g. verification. For example, for verification: "Acme Application Security Co.'s approach to performing dynamic scans (1A) combines passive vulnerability scanning with manually testing areas of interest. Our approach to performing source code scans (1B) targets both application code and goes beyond ASVS Level 1A requirements to additionally scan any open source underlying frameworks and libraries that were modified or extended to create your application. All reports are tailored to meet organization requirements."
[John] Could you given an example of a "given service"?
[Mike] Yes: "Verification" (for example, code review according to ASVS requirements), "Implementation Services" (for example, calling ESAPI for Java from a framework), "Process Improvement" (process improvement according to each of the SAMM business functions), and "Training" (training using an OWASP Guide).
From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of John Wilander
Sent: Monday, May 24, 2010 2:44 PM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] RFC: Two proposed next tweaks to the services registry
Hi Michael (and the rest of the leaders)!
I'm sorry but I don't understand what you mean by "OWASP commercial services registry provider listings are currently required to provide information that includes descriptions of approaches to performing a given service."
Does "listings are currently required to provide information" mean "the list has to include certain information about each provider"?
What are "descriptions of approaches"?
Could you given an example of a "given service"?
I'm not a native English speaker I'm afraid. Sorry.
2010/5/24 Boberski, Michael [USA] <boberski_michael at bah.com<mailto:boberski_michael at bah.com>>
As you know, I have been working on the OWASP commercial services registry/commercial services board.
We're basically shooting for a phone book that's sorted according to some OWASP artifacts as they are currently categorized, to try to nudge the planet along in adoption of them, to get consumers of services of those types to ask for them, by making it easy to find such service providers.
Towards the end of continuing its development, there are a next set of proposed updates that we would like your opinion on. A survey has been setup here: http://www.surveymonkey.com/s/9JDN98P If you can spare a few minutes to provide your input, it would be appreciated. The cutoff date is the end of the week.
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>
Chapter leader OWASP Sweden, http://owaspsweden.blogspot.com
Conference chair OWASP AppSec Research 2010, http://owasp.se
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders