[Owasp-leaders] Secure coding guide review

Jim Manico jim.manico at owasp.org
Mon Sep 13 22:57:52 EDT 2010


Aye! We need be more Agile.

*** 

And in general I'd like to get a lot more of Kevin's ideas in the mix. He has opinions about ASVS that could make it a lot better, and more. Let's encourage his good behavior! 

-Jim Manico
http://manico.net

On Sep 13, 2010, at 9:26 PM, Matt Tesauro <mtesauro at gmail.com> wrote:

> I'd like to suggest a middle path.  And apologies for replying so late in the game, I'm just now catching up on all the email I got during AppSec US.
> 
> It seems to me that we may be inadvertently punishing good behavior. Here's my point:
> 
> We have a case where a project lead, got reviewed (and got a ton of additional comments), took all that feedback and made the project better.  This is definitely a win for OWASP and the project.
> 
> However, if we do a full re-review, we'll be rewarding that good behavior by providing extra work to achieve the end goal (stable release in this case).
> 
> I do see the value in getting the reviewers to look at the new version (1.1 in this case) but perhaps we need a lighter weight process.
> 
> ** My proposed change to AC v2 **
> 
> In the case that a project leader updates a project to address the feedback provided by reviewers, the following steps should apply:
> (1) The project leader will inform the reviewers of the update and ask them to have a second look to ensure the points they raised were addressed.
> (2) Each reviewer will append to items to their review [1]
>   (2.1) A yes/no question which says they have reviewed the updated item and it addressed the issues raised in their initial review.
>   (2.2) A space for them to leave any comments about their re-review.
> 
> ** end of changes **
> 
> I think this will balance the need for OWASP to have fully reviewed projects and the additional work we ask project leaders and reviewers to undertake.
> 
> All in favor say, "Aye"
> 
> [1] This will require a minor change to the template used for reviews going forward.  They two items can be added at the bottom of the reviewer section.
> 
> BTW, in retrospect, this was a case which I didn't anticipate when I was authoring AC v2.  I fully admit that I missed this and am actually quite glad we've both found the gap and a good method to bridge it in future.
> 
> --
> -- Matt Tesauro
> OWASP Board Member
> OWASP WTE Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
> 
> On 9/9/10 3:58 PM, Paulo Coimbra wrote:
>> Brad et al,
>> 
>> From what I’ve understood there is nothing keeping the version 1.1 from
>> being rated as Stable and thus I propose that project leader and both
>> reviewers answer again to the assessment inquiry to say so if they want to.
>> 
>> Also, my intention was not for me to ask for more robust input but
>> solely for better documenting the input you have supplied and was used
>> by Keith as he has mentioned.
>> 
>> As I’ve said before I understand that there are of course other ways to
>> push forward the historical registration of this process and I am
>> obviously open to them all, if not for anything else, because I am here
>> to support project leaders’ work and GPC members’ decisions ;)
>> 
>> Thanks,
>> 
>> Paulo Coimbra,
>> 
>> OWASP Project Manager <https://www.owasp.org/index.php/Main_Page>
>> 
>> *From:* bradcausey at gmail.com [mailto:bradcausey at gmail.com] *On Behalf Of
>> *Brad Causey
>> *Sent:* quinta-feira, 9 de Setembro de 2010 21:17
>> *To:* Paulo Coimbra
>> *Cc:* Turpin, Keith N; Ludovic Petit; Matt Tesauro; Jeff Williams;
>> jim.manico at owasp.org; JMcGovern at virtusa.com; michael.scovetta at gmail.com;
>> owasp-leaders at lists.owasp.org;
>> global-projects-committee at lists.owasp.org; OWASP Foundation Board List
>> *Subject:* Re: Secure coding guide review
>> 
>> I think the change in revision numbers got us off course.
>> 
>> Paulo, at this point, I think he was moving from 1.0(unstable) to 1.1
>> being a stable version of 1.0
>> 
>> It also seems that the second reviewer needs to provide more robust
>> input (me).
>> 
>> Are there any requirements that are keeping the current version of the
>> document from becoming stable?
>> 
>> -Brad Causey
>> CISSP, MCSE, C|EH, CIFI, CGSP
>> 
>> http://www.owasp.org
>> --
>> "Si vis pacem, para bellum"
>> --
>> 
>> On Thu, Sep 9, 2010 at 12:00 PM, Paulo Coimbra <paulo.coimbra at owasp.org
>> <mailto:paulo.coimbra at owasp.org>> wrote:
>> 
>> Keith,
>> 
>> I am only looking for a path that simultaneously makes sense for
>> everybody, is in accordance with our assessment criteria and assures a
>> historical record of what was done through the release development and
>> review process.
>> 
>> In this context, it seems to me that we could keep all the questions
>> raised by both ‘formal’ reviewers linked with the version 1 document
>> which has generated them and explains an Alpha status rating.
>> 
>> Conversely, we could also link the improved document version (v1.1) with
>> the next review to show why it is (as we expect it will be) rated as
>> Stable release.
>> 
>> I believe the options above can assure a clear approach. However, as far
>> as I understand the situation, the assessment criteria, which is still
>> under improvement, is only a set of guidelines anyhow subjected to
>> different interpretations and, being so, if you think we should proceed
>> differently, please let us know what you propose for us to think about
>> and discuss.
>> 
>> Many thanks, best regards,
>> 
>> Paulo Coimbra,
>> 
>> OWASP Project Manager <https://www.owasp.org/index.php/Main_Page>
>> 
>> *From:* Turpin, Keith N [mailto:keith.n.turpin at boeing.com
>> <mailto:keith.n.turpin at boeing.com>]
>> *Sent:* quinta-feira, 9 de Setembro de 2010 17:34
>> *To:* Paulo Coimbra
>> 
>> 
>> *Cc:* 'Ludovic Petit'; bradcausey at owasp.org
>> <mailto:bradcausey at owasp.org>; 'Matt Tesauro'; 'Jeff Williams';
>> jim.manico at owasp.org <mailto:jim.manico at owasp.org>;
>> JMcGovern at virtusa.com <mailto:JMcGovern at virtusa.com>;
>> michael.scovetta at gmail.com <mailto:michael.scovetta at gmail.com>;
>> owasp-leaders at lists.owasp.org <mailto:owasp-leaders at lists.owasp.org>;
>> global-projects-committee at lists.owasp.org
>> <mailto:global-projects-committee at lists.owasp.org>; 'OWASP Foundation
>> Board List'
>> *Subject:* RE: Secure coding guide review
>> 
>> I'm okay with this approach, however the changes from 1 to 1.1 were to
>> address the reviewer feedback, plus that of a couple other leaders.
>> 
>> I corresponded with the reviewers to get agreement that I had addressed
>> their concerns and I believe both have already agreed that I did.
>> 
>> So if you really prefer that they officially review the 1.1 release, I
>> guess we can go that route, but I looked at 1.1 as the real first
>> release and only rolled from 1 to 1.1 to ensure it was clear which was
>> the post review version.
>> 
>> */Keith Turpin/*/ //CISSP, CSSLP/
>> /The Boeing Company/
>> /Information Security/
>> /(206) 683-9667/
>> 
>> Email Notice: This communication may contain sensitive information. If
>> you are not the intended recipient, or believe that you have received
>> this communication in error, do not print, copy, retransmit, disseminate
>> or otherwise use the information. Respond to the sender that you have
>> received this e-mail in error, and delete the copy you received.
>> 
>> ------------------------------------------------------------------------
>> 
>> *From:* Paulo Coimbra [mailto:paulo.coimbra at owasp.org
>> <mailto:paulo.coimbra at owasp.org>]
>> *Sent:* Thursday, September 09, 2010 9:09 AM
>> *To:* Turpin, Keith N
>> *Cc:* 'Ludovic Petit'; bradcausey at owasp.org
>> <mailto:bradcausey at owasp.org>; 'Matt Tesauro'; 'Jeff Williams';
>> jim.manico at owasp.org <mailto:jim.manico at owasp.org>;
>> JMcGovern at virtusa.com <mailto:JMcGovern at virtusa.com>;
>> michael.scovetta at gmail.com <mailto:michael.scovetta at gmail.com>;
>> owasp-leaders at lists.owasp.org <mailto:owasp-leaders at lists.owasp.org>;
>> global-projects-committee at lists.owasp.org
>> <mailto:global-projects-committee at lists.owasp.org>; 'OWASP Foundation
>> Board List'
>> *Subject:* RE: Secure coding guide review
>> 
>> Keith (and GPC),
>> 
>> All this work of pushing this release forward through the assessment
>> process has honestly been a remarkable experience. You have shown both a
>> wonderful capacity of work and a not less outstanding patience to deal
>> with all my interminable requests. At last but not the least, I’d like
>> to point out your capacity to quickly engage with OWASP community and to
>> listen to and to incorporate feedback. Being so, for all of the above,
>> it has been a pleasure and I thank you.
>> 
>> http://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide#tab=Project_About
>> 
>> 
>> As for the next phases, what I propose is as follows:
>> 
>> 1. *We rate the SCP v1 as a Alpha release* since the first reviewer,
>> when asked if ‘[there were] any missing sections critical enough to keep
>> the document at an alpha quality level’, has stated ‘The document
>> fulfils the aim of being a Quick Reference Guide, but my personal
>> feeling is that something is missing (...)’.
>> 
>> * *
>> 
>> http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide/Releases/SCP_v1/Assessment#tab=First_Reviewer
>> 
>> * *
>> 
>> 2. The Second Reviewer documents a bit better the contributions that he
>> has given to improve the SCP v1.
>> 
>> http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide/Releases/SCP_v1/Assessment#tab=Second_Reviewer
>> 
>> * *
>> 
>> 3. *We begin right now the process of assessing the SCP v1.1. *– It
>> seems you will have not any difficulty to have it rated as a Stable
>> release since you have taken into account all the received feedback.
>> 
>> * *
>> 
>> http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide/Releases/SCP_v1.1
>> 
>> 
>> http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide/Releases/SCP_v1.1/Assessment
>> 
>> 
>> I apologise if I sound bureaucratic. I’ve tried to balance your
>> understandable willingness of presenting a Stable version of your
>> document at our conference with our need to properly document the
>> assessment process.
>> 
>> Please let me know whether or not you (and the GPC) agree with the
>> suggested path for us to follow.
>> 
>> Many thanks, best regards,
>> 
>> Paulo Coimbra,
>> 
>> OWASP Project Manager <https://www.owasp.org/index.php/Main_Page>
>> 
>> *From:* Turpin, Keith N [mailto:keith.n.turpin at boeing.com
>> <mailto:keith.n.turpin at boeing.com>]
>> *Sent:* quinta-feira, 9 de Setembro de 2010 01:28
>> *To:* Paulo Coimbra
>> *Subject:* RE: Secure coding guide review
>> 
>> Thanks for getting back to me. I am sorry to bug you at such a bad hour.
>> 
>> Brad just completed his form and I will do mine now.
>> 
>> As to the leaders comments:
>> 
>> - The HTML entity encoding statement has been revised per another
>> reviewer's similar input.
>> 
>> - I corresponded with Jeff about the correlation to the ASVS project and
>> we agreed that spending some time bringing them into closer alignment
>> would be valuable, but they do not conflict with each other at present
>> and Jeff did not actually have time to review the coding guide. His
>> concern was based on what he perceived as a potential overlap. While
>> some exists, I do address that in the guide and talk about where the
>> guide fits in with the ASVS as well as other existing OWASP projects.
>> 
>> Ideally I think at some point a comprehensive standardization effort
>> among projects will be needed to map out each project's role in the
>> overall OWASP application security project framework and ensure that
>> they all relate well to each other, so that someone trying too build a
>> secure development program using the different projects can basically
>> plug and play them into that program and have it all work. A
>> standardization effort like this takes a lot of work and significantly
>> slows the creation process, so it may be too early for that, but it will
>> eventually be needed.
>> 
>> */Keith Turpin/*/ //CISSP, CSSLP/
>> /The Boeing Company/
>> /Information Security/
>> /(206) 683-9667/
>> 
>> Email Notice: This communication may contain sensitive information. If
>> you are not the intended recipient, or believe that you have received
>> this communication in error, do not print, copy, retransmit, disseminate
>> or otherwise use the information. Respond to the sender that you have
>> received this e-mail in error, and delete the copy you received.
>> 
>> ------------------------------------------------------------------------
>> 
>> *From:* Paulo Coimbra [mailto:paulo.coimbra at owasp.org
>> <mailto:paulo.coimbra at owasp.org>]
>> *Sent:* Wednesday, September 08, 2010 5:05 PM
>> *To:* Turpin, Keith N
>> *Cc:* 'Ludovic Petit'; bradcausey at owasp.org
>> <mailto:bradcausey at owasp.org>; 'Jason Li'; 'OWASP Foundation Board List'
>> *Subject:* RE: Secure coding guide review
>> 
>> Hello Keith,
>> 
>> From where I am answering you, Portugal, it’s already late - half hour
>> after midnight - and so I am obliged to be concise. Tomorrow I will
>> respond you thoroughly.
>> 
>> Being so and firstly, regarding the assessment’s formal process itself,
>> please note that all the three reviews must be uploaded and so we still
>> need yours and Brad’s.
>> 
>> http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide/Releases/SCP_v1/Assessment#tab=Project_Leader_for_this_Release
>> 
>> http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide/Releases/SCP_v1/Assessment#tab=Second_Reviewer
>> 
>> 
>> Secondly, as for rating the release as Stable one, in operational terms,
>> it seems to me it can be done as soon as the First and Second Reviewers
>> agree on doing that.
>> 
>> However, since we have received quite a strong feedback through the
>> leaders’ mailing list, may I ask if you have already addressed all the
>> relevant pointed out issues, e.g. the following ones?
>> 
>> * *
>> 
>> - ‘One quick note: this guide gives dangerous advice (HTML Entity Encode
>> all data sent to the client). It should advise contextual encoding´- Jim
>> Manico,
>> 
>> * *
>> 
>> - ‘I suggest a review against the guides and ASVS would productive’ –
>> Jeff Williams,
>> 
>> * *
>> 
>> I thank all your efforts, patience and diligence. I contact you again,
>> first thing on the morning.
>> 
>> Regards,
>> 
>> Paulo Coimbra,
>> 
>> OWASP Project Manager <https://www.owasp.org/index.php/Main_Page>
>> 
>> *From:* Turpin, Keith N [mailto:keith.n.turpin at boeing.com
>> <mailto:keith.n.turpin at boeing.com>]
>> *Sent:* quarta-feira, 8 de Setembro de 2010 23:40
>> *To:* Paulo Coimbra
>> *Subject:* Secure coding guide review
>> 
>> Paulo
>> 
>> I completed reviewing Ludovic Petit's feedback, which was mostly about
>> the opening structure of the document, and shared an updated version of
>> the document with him. I believe he supported moving to Release even
>> before I incorporated his input and he liked the changes.
>> 
>> I also reviewed all of the feedback from Brad Causey and sent him an
>> updated version for final review. I asked him to contact you if he
>> approved the move to Release or if he was unsure how to record his review.
>> 
>> Although not part of the formal review, I did get quite a bit of
>> feedback, mostly minor wording changes or typo corrections, from Michael
>> Scovetta and incorporated most of that as well.
>> 
>> I am working on creating an updated cross linked PDF file for the site
>> now, pending Brad's buy-off.
>> 
>> Assuming Brad likes what he sees, will it be possible to move this
>> project to Release before I present on it tomorrow afternoon. I will
>> send you the updated versions of the documents as soon as I hear from
>> Brad or just prior to the VIP party if I don't hear from him. I would
>> want to get the new versions posted even if the project reviews can't
>> all be wrapped up in time.
>> 
>> I am rolling the document version to 1.1, in case anyone already
>> downloaded the originally posted version.
>> 
>> Also, please add the three gentleman that provided reviews as
>> contributors to the project. Thank you for all your help.
>> 
>> Keith Turpin CISSP, CSSLP
>> 
>> The Boeing Company
>> 
>> Information Security
>> 
>> (206) 683-9667
>> 
>> Email Notice: This communication may contain sensitive information. If
>> you are not the intended recipient, or believe that you have received
>> this communication in error, do not print, copy, retransmit, disseminate
>> or otherwise use the information. Respond to the sender that you have
>> received this e-mail in error, and delete the copy you received.
>> 


More information about the OWASP-Leaders mailing list