[Owasp-leaders] Secure coding guide review

Paulo Coimbra paulo.coimbra at owasp.org
Thu Sep 9 12:08:39 EDT 2010


Keith (and GPC),

 

All this work of pushing this release forward through the assessment process
has honestly been a remarkable experience. You have shown both a wonderful
capacity of work and a not less outstanding patience to deal with all my
interminable requests. At last but not the least, I’d like to point out your
capacity to quickly engage with OWASP community and to listen to and to
incorporate feedback. Being so, for all of the above, it has been a pleasure
and I thank you. 

 

http://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Referen
ce_Guide#tab=Project_About 

 

As for the next phases, what I propose is as follows:

 

1.      We rate the SCP v1 as a Alpha release since the first reviewer, when
asked if ‘[there were] any missing sections critical enough to keep the
document at an alpha quality level’, has stated ‘The document fulfils the
aim of being a Quick Reference Guide, but my personal feeling is that
something is missing (...)’.

 

http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_-_Quic
k_Reference_Guide/Releases/SCP_v1/Assessment#tab=First_Reviewer

 

2.      The Second Reviewer documents a bit better the contributions that he
has given to improve the SCP v1.

 

http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_-_Quic
k_Reference_Guide/Releases/SCP_v1/Assessment#tab=Second_Reviewer

 

3.      We begin right now the process of assessing the SCP v1.1. – It seems
you will have not any difficulty to have it rated as a Stable release since
you have taken into account all the received feedback. 

 

http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_-_Quic
k_Reference_Guide/Releases/SCP_v1.1 

 

http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_-_Quic
k_Reference_Guide/Releases/SCP_v1.1/Assessment 

 

I apologise if I sound bureaucratic. I’ve tried to balance your
understandable willingness of presenting a Stable version of your document
at our conference with our need to properly document the assessment process.


 

Please let me know whether or not you (and the GPC) agree with the suggested
path for us to follow.

 

Many thanks, best regards,

 

Paulo Coimbra,

 <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager

 

From: Turpin, Keith N [mailto:keith.n.turpin at boeing.com] 
Sent: quinta-feira, 9 de Setembro de 2010 01:28
To: Paulo Coimbra
Subject: RE: Secure coding guide review

 

Thanks for getting back to me. I am sorry to bug you at such a bad hour.

 

Brad just completed his form and I will do mine now.

 

As to the leaders comments:

- The HTML entity encoding statement has been revised per another reviewer's
similar input.

- I corresponded with Jeff about the correlation to the ASVS project and we
agreed that spending some time bringing them into closer alignment would be
valuable, but they do not conflict with each other at present and Jeff did
not actually have time to review the coding guide. His concern was based on
what he perceived as a potential overlap. While some exists, I do address
that in the guide and talk about where the guide fits in with the ASVS as
well as other existing OWASP projects.

 

Ideally I think at some point a comprehensive standardization effort among
projects will be needed to map out each project's role in the overall OWASP
application security project framework and ensure that they all relate well
to each other, so that someone trying too build a secure development program
using the different projects can basically plug and play them into that
program and have it all work. A standardization effort like this takes a lot
of work and significantly slows the creation process, so it may be too early
for that, but it will eventually be needed.

 

 

Keith Turpin CISSP, CSSLP
The Boeing Company
Information Security
(206) 683-9667 

Email Notice: This communication may contain sensitive information. If you
are not the intended recipient, or believe that you have received this
communication in error, do not print, copy, retransmit, disseminate or
otherwise use the information. Respond to the sender that you have received
this e-mail in error, and delete the copy you received.

 

 

  _____  

From: Paulo Coimbra [mailto:paulo.coimbra at owasp.org] 
Sent: Wednesday, September 08, 2010 5:05 PM
To: Turpin, Keith N
Cc: 'Ludovic Petit'; bradcausey at owasp.org; 'Jason Li'; 'OWASP Foundation
Board List'
Subject: RE: Secure coding guide review

Hello Keith,

 

>From where I am answering you, Portugal, it’s already late - half hour after
midnight - and so I am obliged to be concise. Tomorrow I will respond you
thoroughly.

 

Being so and firstly, regarding the assessment’s formal process itself,
please note that all the three reviews must be uploaded and so we still need
yours and Brad’s.

 

http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_-_Quic
k_Reference_Guide/Releases/SCP_v1/Assessment#tab=Project_Leader_for_this_Rel
ease

 

http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_-_Quic
k_Reference_Guide/Releases/SCP_v1/Assessment#tab=Second_Reviewer 

 

Secondly, as for rating the release as Stable one, in operational terms, it
seems to me it can be done as soon as the First and Second Reviewers agree
on doing that. 

 

However, since we have received quite a strong feedback through the leaders’
mailing list, may I ask if you have already addressed all the relevant
pointed out issues, e.g. the following ones?

 

-           ‘One quick note: this guide gives dangerous advice (HTML Entity
Encode all data sent to the client). It should advise contextual encoding´-
Jim Manico,

 

-          ‘I suggest a review against the guides and ASVS would productive’
– Jeff Williams, 

 

I thank all your efforts, patience and diligence.  I contact you again,
first thing on the morning.

 

Regards,

 

Paulo Coimbra,

 <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager

 

From: Turpin, Keith N [mailto:keith.n.turpin at boeing.com] 
Sent: quarta-feira, 8 de Setembro de 2010 23:40
To: Paulo Coimbra
Subject: Secure coding guide review

 

Paulo

 

I completed reviewing Ludovic Petit's feedback, which was mostly about the
opening structure of the document, and shared an updated version of the
document with him. I believe he supported moving to Release even before I
incorporated his input and he liked the changes.

 

I also reviewed all of the feedback from Brad Causey and sent him an updated
version for final review. I asked him to contact you if he approved the move
to Release or if he was unsure how to record his review.

 

Although not part of the formal review, I did get quite a bit of feedback,
mostly minor wording changes or typo corrections, from Michael Scovetta and
incorporated most of that as well.

 

I am working on creating an updated cross linked PDF file for the site now,
pending Brad's buy-off.

 

Assuming Brad likes what he sees, will it be possible to move this project
to Release before I present on it tomorrow afternoon. I will send you the
updated versions of the documents as soon as I hear from Brad or just prior
to the VIP party if I don't hear from him. I would want to get the new
versions posted even if the project reviews can't all be wrapped up in time.

 

I am rolling the document version to 1.1, in case anyone already downloaded
the originally posted version.

 

Also, please add the three gentleman that provided reviews as contributors
to the project. Thank you for all your help.

 

 

Keith Turpin CISSP, CSSLP

The Boeing Company

Information Security

(206) 683-9667

 

Email Notice: This communication may contain sensitive information. If you
are not the intended recipient, or believe that you have received this
communication in error, do not print, copy, retransmit, disseminate or
otherwise use the information. Respond to the sender that you have received
this e-mail in error, and delete the copy you received.

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100909/a565725a/attachment-0001.html 


More information about the OWASP-Leaders mailing list