[Owasp-leaders] Secure coding guide review

Matt Tesauro mtesauro at gmail.com
Mon Sep 13 22:26:57 EDT 2010


I'd like to suggest a middle path.  And apologies for replying so late 
in the game, I'm just now catching up on all the email I got during 
AppSec US.

It seems to me that we may be inadvertently punishing good behavior. 
Here's my point:

We have a case where a project lead, got reviewed (and got a ton of 
additional comments), took all that feedback and made the project 
better.  This is definitely a win for OWASP and the project.

However, if we do a full re-review, we'll be rewarding that good 
behavior by providing extra work to achieve the end goal (stable release 
in this case).

I do see the value in getting the reviewers to look at the new version 
(1.1 in this case) but perhaps we need a lighter weight process.

** My proposed change to AC v2 **

In the case that a project leader updates a project to address the 
feedback provided by reviewers, the following steps should apply:
(1) The project leader will inform the reviewers of the update and ask 
them to have a second look to ensure the points they raised were addressed.
(2) Each reviewer will append to items to their review [1]
    (2.1) A yes/no question which says they have reviewed the updated 
item and it addressed the issues raised in their initial review.
    (2.2) A space for them to leave any comments about their re-review.

** end of changes **

I think this will balance the need for OWASP to have fully reviewed 
projects and the additional work we ask project leaders and reviewers to 
undertake.

All in favor say, "Aye"

[1] This will require a minor change to the template used for reviews 
going forward.  They two items can be added at the bottom of the 
reviewer section.

BTW, in retrospect, this was a case which I didn't anticipate when I was 
authoring AC v2.  I fully admit that I missed this and am actually quite 
glad we've both found the gap and a good method to bridge it in future.

--
-- Matt Tesauro
OWASP Board Member
OWASP WTE Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site

On 9/9/10 3:58 PM, Paulo Coimbra wrote:
> Brad et al,
>
>  From what I’ve understood there is nothing keeping the version 1.1 from
> being rated as Stable and thus I propose that project leader and both
> reviewers answer again to the assessment inquiry to say so if they want to.
>
> Also, my intention was not for me to ask for more robust input but
> solely for better documenting the input you have supplied and was used
> by Keith as he has mentioned.
>
> As I’ve said before I understand that there are of course other ways to
> push forward the historical registration of this process and I am
> obviously open to them all, if not for anything else, because I am here
> to support project leaders’ work and GPC members’ decisions ;)
>
> Thanks,
>
> Paulo Coimbra,
>
> OWASP Project Manager <https://www.owasp.org/index.php/Main_Page>
>
> *From:* bradcausey at gmail.com [mailto:bradcausey at gmail.com] *On Behalf Of
> *Brad Causey
> *Sent:* quinta-feira, 9 de Setembro de 2010 21:17
> *To:* Paulo Coimbra
> *Cc:* Turpin, Keith N; Ludovic Petit; Matt Tesauro; Jeff Williams;
> jim.manico at owasp.org; JMcGovern at virtusa.com; michael.scovetta at gmail.com;
> owasp-leaders at lists.owasp.org;
> global-projects-committee at lists.owasp.org; OWASP Foundation Board List
> *Subject:* Re: Secure coding guide review
>
> I think the change in revision numbers got us off course.
>
> Paulo, at this point, I think he was moving from 1.0(unstable) to 1.1
> being a stable version of 1.0
>
> It also seems that the second reviewer needs to provide more robust
> input (me).
>
> Are there any requirements that are keeping the current version of the
> document from becoming stable?
>
> -Brad Causey
> CISSP, MCSE, C|EH, CIFI, CGSP
>
> http://www.owasp.org
> --
> "Si vis pacem, para bellum"
> --
>
> On Thu, Sep 9, 2010 at 12:00 PM, Paulo Coimbra <paulo.coimbra at owasp.org
> <mailto:paulo.coimbra at owasp.org>> wrote:
>
> Keith,
>
> I am only looking for a path that simultaneously makes sense for
> everybody, is in accordance with our assessment criteria and assures a
> historical record of what was done through the release development and
> review process.
>
> In this context, it seems to me that we could keep all the questions
> raised by both ‘formal’ reviewers linked with the version 1 document
> which has generated them and explains an Alpha status rating.
>
> Conversely, we could also link the improved document version (v1.1) with
> the next review to show why it is (as we expect it will be) rated as
> Stable release.
>
> I believe the options above can assure a clear approach. However, as far
> as I understand the situation, the assessment criteria, which is still
> under improvement, is only a set of guidelines anyhow subjected to
> different interpretations and, being so, if you think we should proceed
> differently, please let us know what you propose for us to think about
> and discuss.
>
> Many thanks, best regards,
>
> Paulo Coimbra,
>
> OWASP Project Manager <https://www.owasp.org/index.php/Main_Page>
>
> *From:* Turpin, Keith N [mailto:keith.n.turpin at boeing.com
> <mailto:keith.n.turpin at boeing.com>]
> *Sent:* quinta-feira, 9 de Setembro de 2010 17:34
> *To:* Paulo Coimbra
>
>
> *Cc:* 'Ludovic Petit'; bradcausey at owasp.org
> <mailto:bradcausey at owasp.org>; 'Matt Tesauro'; 'Jeff Williams';
> jim.manico at owasp.org <mailto:jim.manico at owasp.org>;
> JMcGovern at virtusa.com <mailto:JMcGovern at virtusa.com>;
> michael.scovetta at gmail.com <mailto:michael.scovetta at gmail.com>;
> owasp-leaders at lists.owasp.org <mailto:owasp-leaders at lists.owasp.org>;
> global-projects-committee at lists.owasp.org
> <mailto:global-projects-committee at lists.owasp.org>; 'OWASP Foundation
> Board List'
> *Subject:* RE: Secure coding guide review
>
> I'm okay with this approach, however the changes from 1 to 1.1 were to
> address the reviewer feedback, plus that of a couple other leaders.
>
> I corresponded with the reviewers to get agreement that I had addressed
> their concerns and I believe both have already agreed that I did.
>
> So if you really prefer that they officially review the 1.1 release, I
> guess we can go that route, but I looked at 1.1 as the real first
> release and only rolled from 1 to 1.1 to ensure it was clear which was
> the post review version.
>
> */Keith Turpin/*/ //CISSP, CSSLP/
> /The Boeing Company/
> /Information Security/
> /(206) 683-9667/
>
> Email Notice: This communication may contain sensitive information. If
> you are not the intended recipient, or believe that you have received
> this communication in error, do not print, copy, retransmit, disseminate
> or otherwise use the information. Respond to the sender that you have
> received this e-mail in error, and delete the copy you received.
>
> ------------------------------------------------------------------------
>
> *From:* Paulo Coimbra [mailto:paulo.coimbra at owasp.org
> <mailto:paulo.coimbra at owasp.org>]
> *Sent:* Thursday, September 09, 2010 9:09 AM
> *To:* Turpin, Keith N
> *Cc:* 'Ludovic Petit'; bradcausey at owasp.org
> <mailto:bradcausey at owasp.org>; 'Matt Tesauro'; 'Jeff Williams';
> jim.manico at owasp.org <mailto:jim.manico at owasp.org>;
> JMcGovern at virtusa.com <mailto:JMcGovern at virtusa.com>;
> michael.scovetta at gmail.com <mailto:michael.scovetta at gmail.com>;
> owasp-leaders at lists.owasp.org <mailto:owasp-leaders at lists.owasp.org>;
> global-projects-committee at lists.owasp.org
> <mailto:global-projects-committee at lists.owasp.org>; 'OWASP Foundation
> Board List'
> *Subject:* RE: Secure coding guide review
>
> Keith (and GPC),
>
> All this work of pushing this release forward through the assessment
> process has honestly been a remarkable experience. You have shown both a
> wonderful capacity of work and a not less outstanding patience to deal
> with all my interminable requests. At last but not the least, I’d like
> to point out your capacity to quickly engage with OWASP community and to
> listen to and to incorporate feedback. Being so, for all of the above,
> it has been a pleasure and I thank you.
>
> http://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide#tab=Project_About
>
>
> As for the next phases, what I propose is as follows:
>
> 1. *We rate the SCP v1 as a Alpha release* since the first reviewer,
> when asked if ‘[there were] any missing sections critical enough to keep
> the document at an alpha quality level’, has stated ‘The document
> fulfils the aim of being a Quick Reference Guide, but my personal
> feeling is that something is missing (...)’.
>
> * *
>
> http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide/Releases/SCP_v1/Assessment#tab=First_Reviewer
>
> * *
>
> 2. The Second Reviewer documents a bit better the contributions that he
> has given to improve the SCP v1.
>
> http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide/Releases/SCP_v1/Assessment#tab=Second_Reviewer
>
> * *
>
> 3. *We begin right now the process of assessing the SCP v1.1. *– It
> seems you will have not any difficulty to have it rated as a Stable
> release since you have taken into account all the received feedback.
>
> * *
>
> http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide/Releases/SCP_v1.1
>
>
> http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide/Releases/SCP_v1.1/Assessment
>
>
> I apologise if I sound bureaucratic. I’ve tried to balance your
> understandable willingness of presenting a Stable version of your
> document at our conference with our need to properly document the
> assessment process.
>
> Please let me know whether or not you (and the GPC) agree with the
> suggested path for us to follow.
>
> Many thanks, best regards,
>
> Paulo Coimbra,
>
> OWASP Project Manager <https://www.owasp.org/index.php/Main_Page>
>
> *From:* Turpin, Keith N [mailto:keith.n.turpin at boeing.com
> <mailto:keith.n.turpin at boeing.com>]
> *Sent:* quinta-feira, 9 de Setembro de 2010 01:28
> *To:* Paulo Coimbra
> *Subject:* RE: Secure coding guide review
>
> Thanks for getting back to me. I am sorry to bug you at such a bad hour.
>
> Brad just completed his form and I will do mine now.
>
> As to the leaders comments:
>
> - The HTML entity encoding statement has been revised per another
> reviewer's similar input.
>
> - I corresponded with Jeff about the correlation to the ASVS project and
> we agreed that spending some time bringing them into closer alignment
> would be valuable, but they do not conflict with each other at present
> and Jeff did not actually have time to review the coding guide. His
> concern was based on what he perceived as a potential overlap. While
> some exists, I do address that in the guide and talk about where the
> guide fits in with the ASVS as well as other existing OWASP projects.
>
> Ideally I think at some point a comprehensive standardization effort
> among projects will be needed to map out each project's role in the
> overall OWASP application security project framework and ensure that
> they all relate well to each other, so that someone trying too build a
> secure development program using the different projects can basically
> plug and play them into that program and have it all work. A
> standardization effort like this takes a lot of work and significantly
> slows the creation process, so it may be too early for that, but it will
> eventually be needed.
>
> */Keith Turpin/*/ //CISSP, CSSLP/
> /The Boeing Company/
> /Information Security/
> /(206) 683-9667/
>
> Email Notice: This communication may contain sensitive information. If
> you are not the intended recipient, or believe that you have received
> this communication in error, do not print, copy, retransmit, disseminate
> or otherwise use the information. Respond to the sender that you have
> received this e-mail in error, and delete the copy you received.
>
> ------------------------------------------------------------------------
>
> *From:* Paulo Coimbra [mailto:paulo.coimbra at owasp.org
> <mailto:paulo.coimbra at owasp.org>]
> *Sent:* Wednesday, September 08, 2010 5:05 PM
> *To:* Turpin, Keith N
> *Cc:* 'Ludovic Petit'; bradcausey at owasp.org
> <mailto:bradcausey at owasp.org>; 'Jason Li'; 'OWASP Foundation Board List'
> *Subject:* RE: Secure coding guide review
>
> Hello Keith,
>
>  From where I am answering you, Portugal, it’s already late - half hour
> after midnight - and so I am obliged to be concise. Tomorrow I will
> respond you thoroughly.
>
> Being so and firstly, regarding the assessment’s formal process itself,
> please note that all the three reviews must be uploaded and so we still
> need yours and Brad’s.
>
> http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide/Releases/SCP_v1/Assessment#tab=Project_Leader_for_this_Release
>
> http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide/Releases/SCP_v1/Assessment#tab=Second_Reviewer
>
>
> Secondly, as for rating the release as Stable one, in operational terms,
> it seems to me it can be done as soon as the First and Second Reviewers
> agree on doing that.
>
> However, since we have received quite a strong feedback through the
> leaders’ mailing list, may I ask if you have already addressed all the
> relevant pointed out issues, e.g. the following ones?
>
> * *
>
> - ‘One quick note: this guide gives dangerous advice (HTML Entity Encode
> all data sent to the client). It should advise contextual encoding´- Jim
> Manico,
>
> * *
>
> - ‘I suggest a review against the guides and ASVS would productive’ –
> Jeff Williams,
>
> * *
>
> I thank all your efforts, patience and diligence. I contact you again,
> first thing on the morning.
>
> Regards,
>
> Paulo Coimbra,
>
> OWASP Project Manager <https://www.owasp.org/index.php/Main_Page>
>
> *From:* Turpin, Keith N [mailto:keith.n.turpin at boeing.com
> <mailto:keith.n.turpin at boeing.com>]
> *Sent:* quarta-feira, 8 de Setembro de 2010 23:40
> *To:* Paulo Coimbra
> *Subject:* Secure coding guide review
>
> Paulo
>
> I completed reviewing Ludovic Petit's feedback, which was mostly about
> the opening structure of the document, and shared an updated version of
> the document with him. I believe he supported moving to Release even
> before I incorporated his input and he liked the changes.
>
> I also reviewed all of the feedback from Brad Causey and sent him an
> updated version for final review. I asked him to contact you if he
> approved the move to Release or if he was unsure how to record his review.
>
> Although not part of the formal review, I did get quite a bit of
> feedback, mostly minor wording changes or typo corrections, from Michael
> Scovetta and incorporated most of that as well.
>
> I am working on creating an updated cross linked PDF file for the site
> now, pending Brad's buy-off.
>
> Assuming Brad likes what he sees, will it be possible to move this
> project to Release before I present on it tomorrow afternoon. I will
> send you the updated versions of the documents as soon as I hear from
> Brad or just prior to the VIP party if I don't hear from him. I would
> want to get the new versions posted even if the project reviews can't
> all be wrapped up in time.
>
> I am rolling the document version to 1.1, in case anyone already
> downloaded the originally posted version.
>
> Also, please add the three gentleman that provided reviews as
> contributors to the project. Thank you for all your help.
>
> Keith Turpin CISSP, CSSLP
>
> The Boeing Company
>
> Information Security
>
> (206) 683-9667
>
> Email Notice: This communication may contain sensitive information. If
> you are not the intended recipient, or believe that you have received
> this communication in error, do not print, copy, retransmit, disseminate
> or otherwise use the information. Respond to the sender that you have
> received this e-mail in error, and delete the copy you received.
>


More information about the OWASP-Leaders mailing list