[Owasp-leaders] RFC: Two proposed next tweaks to the services registry

Boberski, Michael [USA] boberski_michael at bah.com
Mon May 24 15:27:34 EDT 2010


Hi Antonio. For "As the approach is generally integrated in most of our guides", perhaps consider ways in which the training would be delivered, e.g. using hands-on exercises, or strictly using paper. Maybe one has one's own set of vulnerable apps that make teaching easier or faster in some regard. Those types of things. That's the intent for the training tab, in terms of approach.

Best,

Mike B.


-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Antonio Fontes
Sent: Monday, May 24, 2010 3:19 PM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] RFC: Two proposed next tweaks to the services registry

[descriptions of approaches]
I wanted to click, but after reading Michael's email, I couldn't.

As the approach is generally integrated in most of our guides, it
seems that "descriptions of approaches" would simple require a company
to repeat "I am doing this the way the OWASP guide recommends it.",
which be like a dog chasing its tail, no?

Most of all, we still have the chapter leaders. Isn't there any way we
can involve the leaders into this registry?

On 24 May 2010 20:53, Boberski, Michael [USA] <boberski_michael at bah.com> wrote:
> Hi John. No worries.
>
>
>
> [John] Does "listings are currently required to provide information" mean
> "the list has to include certain information about each provider"?
>
>
>
> [Mike] Yes. For example, for "Verification", the following information is
> needed: "Provider listings are required to include the following
> information: company name and link to corporate web site, company location
> and markets served, company area(s) of application technology expertise,
> ASVS verification levels offered; approach to performing verifications, and
> contact name and email."
>
>
>
> [John] What are "descriptions of approaches"?
>
>
>
> [Mike] How one would go about performing e.g. verification. For example, for
> verification: "Acme Application Security Co.'s approach to performing
> dynamic scans (1A) combines passive vulnerability scanning with manually
> testing areas of interest. Our approach to performing source code scans (1B)
> targets both application code and goes beyond ASVS Level 1A requirements to
> additionally scan any open source underlying frameworks and libraries that
> were modified or extended to create your application. All reports are
> tailored to meet organization requirements."
>
>
>
> [John] Could you given an example of a "given service"?
>
>
>
> [Mike] Yes: "Verification" (for example, code review according to ASVS
> requirements), "Implementation Services" (for example, calling ESAPI for
> Java from a framework), "Process Improvement" (process improvement according
> to each of the SAMM business functions), and "Training" (training using an
> OWASP Guide).
>
>
>
> Best,
>
>
>
> Mike B.
>
>
>
> From: owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of John Wilander
> Sent: Monday, May 24, 2010 2:44 PM
> To: owasp-leaders at lists.owasp.org
> Subject: Re: [Owasp-leaders] RFC: Two proposed next tweaks to the services
> registry
>
>
>
> Hi Michael (and the rest of the leaders)!
>
> I'm sorry but I don't understand what you mean by "OWASP commercial services
> registry provider listings are currently required to provide information
> that includes descriptions of approaches to performing a given service."
>
>
>
> Does "listings are currently required to provide information" mean "the list
> has to include certain information about each provider"?
>
> What are "descriptions of approaches"?
>
> Could you given an example of a "given service"?
>
>
>
> I'm not a native English speaker I'm afraid. Sorry.
>
>
>
>    Regards, John
>
>
>
>
>
> 2010/5/24 Boberski, Michael [USA] <boberski_michael at bah.com>
>
> Dear Colleagues,
>
>
>
> As you know, I have been working on the OWASP commercial services
> registry/commercial services board.
>
>
>
> We're basically shooting for a phone book that's sorted according to some
> OWASP artifacts as they are currently categorized, to try to nudge the
> planet along in adoption of them, to get consumers of services of those
> types to ask for them, by making it easy to find such service providers.
>
>
>
> Towards the end of continuing its development, there are a next set of
> proposed updates that we would like your opinion on. A survey has been setup
> here: http://www.surveymonkey.com/s/9JDN98P  If you can spare a few minutes
> to provide your input, it would be appreciated. The cutoff date is the end
> of the week.
>
>
>
> Best,
>
>
>
> Mike B.
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> --
> John Wilander
> Chapter leader OWASP Sweden, http://owaspsweden.blogspot.com
> Conference chair OWASP AppSec Research 2010, http://owasp.se
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>



-- 
OWASP Geneva Chapter
http://owasp.ch/geneva
Join the mailing list: https://lists.owasp.org/mailman/listinfo/owasp-Geneva
_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list