[Owasp-leaders] Secure coding guide review

Brad Causey bradcausey at owasp.org
Thu Sep 9 16:16:58 EDT 2010


I think the change in revision numbers got us off course.

Paulo, at this point, I think he was moving from 1.0(unstable) to 1.1 being
a stable version of 1.0

It also seems that the second reviewer needs to provide more robust input
(me).

Are there any requirements that are keeping the current version of the
document from becoming stable?

-Brad Causey
CISSP, MCSE, C|EH, CIFI, CGSP

http://www.owasp.org
--
"Si vis pacem, para bellum"
--


On Thu, Sep 9, 2010 at 12:00 PM, Paulo Coimbra <paulo.coimbra at owasp.org>wrote:

>  Keith,
>
>
>
> I am only looking for a path that simultaneously makes sense for everybody,
> is in accordance with our assessment criteria and assures a historical
> record of what was done through the release development and review process.
>
>
>
> In this context, it seems to me that we could keep all the questions raised
> by both ‘formal’ reviewers linked with the version 1 document which has
> generated them and explains an Alpha status rating.
>
>
>
> Conversely, we could also link the improved document version (v1.1) with
> the next review to show why it is (as we expect it will be) rated as Stable
> release.
>
>
>
> I believe the options above can assure a clear approach. However, as far as
> I understand the situation, the assessment criteria, which is still under
> improvement, is only a set of guidelines anyhow subjected to different
> interpretations and, being so, if you think we should proceed differently,
> please let us know what you propose for us to think about and discuss.
>
>
>
> Many thanks, best regards,
>
>
>
> Paulo Coimbra,
>
> OWASP Project Manager <https://www.owasp.org/index.php/Main_Page>
>
>
>
> *From:* Turpin, Keith N [mailto:keith.n.turpin at boeing.com]
> *Sent:* quinta-feira, 9 de Setembro de 2010 17:34
> *To:* Paulo Coimbra
>
> *Cc:* 'Ludovic Petit'; bradcausey at owasp.org; 'Matt Tesauro'; 'Jeff
> Williams'; jim.manico at owasp.org; JMcGovern at virtusa.com;
> michael.scovetta at gmail.com; owasp-leaders at lists.owasp.org;
> global-projects-committee at lists.owasp.org; 'OWASP Foundation Board List'
> *Subject:* RE: Secure coding guide review
>
>
>
> I'm okay with this approach, however the changes from 1 to 1.1 were to
> address the reviewer feedback, plus that of a couple other leaders.
>
>
>
> I corresponded with the reviewers to get agreement that I had addressed
> their concerns and I believe both have already agreed that I did.
>
>
>
> So if you really prefer that they officially review the 1.1 release, I
> guess we can go that route, but I looked at 1.1 as the real first release
> and only rolled from 1 to 1.1 to ensure it was clear which was the post
> review version.
>
>
>
>
>
> *Keith Turpin** **CISSP, CSSLP*
> *The Boeing Company*
> *Information Security*
> *(206) 683-9667*
>
> Email Notice: This communication may contain sensitive information. If you
> are not the intended recipient, or believe that you have received this
> communication in error, do not print, copy, retransmit, disseminate or
> otherwise use the information. Respond to the sender that you have received
> this e-mail in error, and delete the copy you received.
>
>
>
>
>  ------------------------------
>
> *From:* Paulo Coimbra [mailto:paulo.coimbra at owasp.org]
> *Sent:* Thursday, September 09, 2010 9:09 AM
> *To:* Turpin, Keith N
> *Cc:* 'Ludovic Petit'; bradcausey at owasp.org; 'Matt Tesauro'; 'Jeff
> Williams'; jim.manico at owasp.org; JMcGovern at virtusa.com;
> michael.scovetta at gmail.com; owasp-leaders at lists.owasp.org;
> global-projects-committee at lists.owasp.org; 'OWASP Foundation Board List'
> *Subject:* RE: Secure coding guide review
>
> Keith (and GPC),
>
>
>
> All this work of pushing this release forward through the assessment
> process has honestly been a remarkable experience. You have shown both a
> wonderful capacity of work and a not less outstanding patience to deal with
> all my interminable requests. At last but not the least, I’d like to point
> out your capacity to quickly engage with OWASP community and to listen to
> and to incorporate feedback. Being so, for all of the above, it has been a
> pleasure and I thank you.
>
>
>
>
> http://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide#tab=Project_About
>
>
>
> As for the next phases, what I propose is as follows:
>
>
>
> 1.      *We rate the SCP v1 as a Alpha release* since the first reviewer,
> when asked if ‘[there were] any missing sections critical enough to keep the
> document at an alpha quality level’, has stated ‘The document fulfils the
> aim of being a Quick Reference Guide, but my personal feeling is that
> something is missing (...)’.**
>
> * *
>
>
> http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide/Releases/SCP_v1/Assessment#tab=First_Reviewer
>
> * *
>
> 2.      The Second Reviewer documents a bit better the contributions that
> he has given to improve the SCP v1.**
>
>
>
>
> http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide/Releases/SCP_v1/Assessment#tab=Second_Reviewer
>
> * *
>
> 3.      *We begin right now the process of assessing the SCP v1.1. *– It
> seems you will have not any difficulty to have it rated as a Stable release
> since you have taken into account all the received feedback.
>
> * *
>
>
> http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide/Releases/SCP_v1.1
>
>
>
>
> http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide/Releases/SCP_v1.1/Assessment
>
>
>
> I apologise if I sound bureaucratic. I’ve tried to balance your
> understandable willingness of presenting a Stable version of your document
> at our conference with our need to properly document the assessment process.
>
>
>
>
> Please let me know whether or not you (and the GPC) agree with the
> suggested path for us to follow.
>
>
>
> Many thanks, best regards,
>
>
>
> Paulo Coimbra,
>
> OWASP Project Manager <https://www.owasp.org/index.php/Main_Page>
>
>
>
> *From:* Turpin, Keith N [mailto:keith.n.turpin at boeing.com]
> *Sent:* quinta-feira, 9 de Setembro de 2010 01:28
> *To:* Paulo Coimbra
> *Subject:* RE: Secure coding guide review
>
>
>
> Thanks for getting back to me. I am sorry to bug you at such a bad hour.
>
>
>
> Brad just completed his form and I will do mine now.
>
>
>
> As to the leaders comments:
>
> - The HTML entity encoding statement has been revised per another
> reviewer's similar input.
>
> - I corresponded with Jeff about the correlation to the ASVS project and we
> agreed that spending some time bringing them into closer alignment would be
> valuable, but they do not conflict with each other at present and Jeff did
> not actually have time to review the coding guide. His concern was based on
> what he perceived as a potential overlap. While some exists, I do address
> that in the guide and talk about where the guide fits in with the ASVS as
> well as other existing OWASP projects.
>
>
>
> Ideally I think at some point a comprehensive standardization effort among
> projects will be needed to map out each project's role in the overall OWASP
> application security project framework and ensure that they all relate well
> to each other, so that someone trying too build a secure development
> program using the different projects can basically plug and play them into
> that program and have it all work. A standardization effort like this takes
> a lot of work and significantly slows the creation process, so it may be too
> early for that, but it will eventually be needed.
>
>
>
>
>
> *Keith Turpin** **CISSP, CSSLP*
> *The Boeing Company*
> *Information Security*
> *(206) 683-9667*
>
> Email Notice: This communication may contain sensitive information. If you
> are not the intended recipient, or believe that you have received this
> communication in error, do not print, copy, retransmit, disseminate or
> otherwise use the information. Respond to the sender that you have received
> this e-mail in error, and delete the copy you received.
>
>
>
>
>  ------------------------------
>
> *From:* Paulo Coimbra [mailto:paulo.coimbra at owasp.org]
> *Sent:* Wednesday, September 08, 2010 5:05 PM
> *To:* Turpin, Keith N
> *Cc:* 'Ludovic Petit'; bradcausey at owasp.org; 'Jason Li'; 'OWASP Foundation
> Board List'
> *Subject:* RE: Secure coding guide review
>
> Hello Keith,
>
>
>
> From where I am answering you, Portugal, it’s already late - half hour
> after midnight - and so I am obliged to be concise. Tomorrow I will respond
> you thoroughly.
>
>
>
> Being so and firstly, regarding the assessment’s formal process itself,
> please note that all the three reviews must be uploaded and so we still need
> yours and Brad’s.
>
>
>
>
> http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide/Releases/SCP_v1/Assessment#tab=Project_Leader_for_this_Release
>
>
>
>
> http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide/Releases/SCP_v1/Assessment#tab=Second_Reviewer
>
>
>
> Secondly, as for rating the release as Stable one, in operational terms, it
> seems to me it can be done as soon as the First and Second Reviewers agree
> on doing that.
>
>
>
> However, since we have received quite a strong feedback through the
> leaders’ mailing list, may I ask if you have already addressed all the
> relevant pointed out issues, e.g. the following ones?**
>
> * *
>
> -           ‘One quick note: this guide gives dangerous advice (HTML
> Entity Encode all data sent to the client). It should advise contextual
> encoding´- Jim Manico,**
>
> * *
>
> -          ‘I suggest a review against the guides and ASVS would
> productive’ – Jeff Williams, **
>
> * *
>
> I thank all your efforts, patience and diligence.  I contact you again,
> first thing on the morning.
>
>
>
> Regards,
>
>
>
> Paulo Coimbra,
>
> OWASP Project Manager <https://www.owasp.org/index.php/Main_Page>
>
>
>
> *From:* Turpin, Keith N [mailto:keith.n.turpin at boeing.com]
> *Sent:* quarta-feira, 8 de Setembro de 2010 23:40
> *To:* Paulo Coimbra
> *Subject:* Secure coding guide review
>
>
>
> Paulo
>
>
>
> I completed reviewing Ludovic Petit's feedback, which was mostly about the
> opening structure of the document, and shared an updated version of the
> document with him. I believe he supported moving to Release even before I
> incorporated his input and he liked the changes.
>
>
>
> I also reviewed all of the feedback from Brad Causey and sent him an
> updated version for final review. I asked him to contact you if he approved
> the move to Release or if he was unsure how to record his review.
>
>
>
> Although not part of the formal review, I did get quite a bit of feedback,
> mostly minor wording changes or typo corrections, from Michael Scovetta and
> incorporated most of that as well.
>
>
>
> I am working on creating an updated cross linked PDF file for the site now,
> pending Brad's buy-off.
>
>
>
> Assuming Brad likes what he sees, will it be possible to move this project
> to Release before I present on it tomorrow afternoon. I will send you the
> updated versions of the documents as soon as I hear from Brad or just prior
> to the VIP party if I don't hear from him. I would want to get the new
> versions posted even if the project reviews can't all be wrapped up in time.
>
>
>
> I am rolling the document version to 1.1, in case anyone already downloaded
> the originally posted version.
>
>
>
> Also, please add the three gentleman that provided reviews as contributors
> to the project. Thank you for all your help.
>
>
>
>
>
> Keith Turpin CISSP, CSSLP
>
> The Boeing Company
>
> Information Security
>
> (206) 683-9667
>
>
>
> Email Notice: This communication may contain sensitive information. If you
> are not the intended recipient, or believe that you have received this
> communication in error, do not print, copy, retransmit, disseminate or
> otherwise use the information. Respond to the sender that you have received
> this e-mail in error, and delete the copy you received.
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100909/ca70db35/attachment-0001.html 


More information about the OWASP-Leaders mailing list