[Owasp-leaders] Secure coding guide review

Paulo Coimbra paulo.coimbra at owasp.org
Tue Sep 14 10:34:05 EDT 2010


Aye! It makes senses to me even though I haven't figured out yet a way to implement Matt's idea. Who will try the first pass?

Paulo Coimbra,
OWASP Project Manager


> >-----Original Message-----
> >From: Jim Manico [mailto:jim.manico at owasp.org]
> >Sent: terça-feira, 14 de Setembro de 2010 03:58
> >To: Matt Tesauro
> >Cc: Paulo Coimbra; bradcausey at owasp.org; Turpin, Keith N; Ludovic
> >Petit; Matt Tesauro; Jeff Williams; JMcGovern at virtusa.com;
> >michael.scovetta at gmail.com; owasp-leaders at lists.owasp.org; global-
> >projects-committee at lists.owasp.org; OWASP Foundation Board List
> >Subject: Re: Secure coding guide review
> >
> >Aye! We need be more Agile.
> >
> >***
> >
> >And in general I'd like to get a lot more of Kevin's ideas in the mix.
> >He has opinions about ASVS that could make it a lot better, and more.
> >Let's encourage his good behavior!
> >
> >-Jim Manico
> >http://manico.net
> >
> >On Sep 13, 2010, at 9:26 PM, Matt Tesauro <mtesauro at gmail.com> wrote:
> >
> >> I'd like to suggest a middle path.  And apologies for replying so
> >late in the game, I'm just now catching up on all the email I got
> >during AppSec US.
> >>
> >> It seems to me that we may be inadvertently punishing good behavior.
> >Here's my point:
> >>
> >> We have a case where a project lead, got reviewed (and got a ton of
> >additional comments), took all that feedback and made the project
> >better.  This is definitely a win for OWASP and the project.
> >>
> >> However, if we do a full re-review, we'll be rewarding that good
> >behavior by providing extra work to achieve the end goal (stable
> >release in this case).
> >>
> >> I do see the value in getting the reviewers to look at the new
> >version (1.1 in this case) but perhaps we need a lighter weight
> >process.
> >>
> >> ** My proposed change to AC v2 **
> >>
> >> In the case that a project leader updates a project to address the
> >feedback provided by reviewers, the following steps should apply:
> >> (1) The project leader will inform the reviewers of the update and
> >ask them to have a second look to ensure the points they raised were
> >addressed.
> >> (2) Each reviewer will append to items to their review [1]
> >>   (2.1) A yes/no question which says they have reviewed the updated
> >item and it addressed the issues raised in their initial review.
> >>   (2.2) A space for them to leave any comments about their re-
> >review.
> >>
> >> ** end of changes **
> >>
> >> I think this will balance the need for OWASP to have fully reviewed
> >projects and the additional work we ask project leaders and reviewers
> >to undertake.
> >>
> >> All in favor say, "Aye"
> >>
> >> [1] This will require a minor change to the template used for
> >reviews going forward.  They two items can be added at the bottom of
> >the reviewer section.
> >>
> >> BTW, in retrospect, this was a case which I didn't anticipate when I
> >was authoring AC v2.  I fully admit that I missed this and am actually
> >quite glad we've both found the gap and a good method to bridge it in
> >future.
> >>
> >> --
> >> -- Matt Tesauro
> >> OWASP Board Member
> >> OWASP WTE Project Lead
> >> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> >> http://AppSecLive.org - Community and Download site
> >>
> >> On 9/9/10 3:58 PM, Paulo Coimbra wrote:
> >>> Brad et al,
> >>>
> >>> From what I’ve understood there is nothing keeping the version 1.1
> >from
> >>> being rated as Stable and thus I propose that project leader and
> >both
> >>> reviewers answer again to the assessment inquiry to say so if they
> >want to.
> >>>
> >>> Also, my intention was not for me to ask for more robust input but
> >>> solely for better documenting the input you have supplied and was
> >used
> >>> by Keith as he has mentioned.
> >>>
> >>> As I’ve said before I understand that there are of course other
> >ways to
> >>> push forward the historical registration of this process and I am
> >>> obviously open to them all, if not for anything else, because I am
> >here
> >>> to support project leaders’ work and GPC members’ decisions ;)
> >>>
> >>> Thanks,
> >>>
> >>> Paulo Coimbra,
> >>>
> >>> OWASP Project Manager <https://www.owasp.org/index.php/Main_Page>
> >>>
> >>> *From:* bradcausey at gmail.com [mailto:bradcausey at gmail.com] *On
> >Behalf Of
> >>> *Brad Causey
> >>> *Sent:* quinta-feira, 9 de Setembro de 2010 21:17
> >>> *To:* Paulo Coimbra
> >>> *Cc:* Turpin, Keith N; Ludovic Petit; Matt Tesauro; Jeff Williams;
> >>> jim.manico at owasp.org; JMcGovern at virtusa.com;
> >michael.scovetta at gmail.com;
> >>> owasp-leaders at lists.owasp.org;
> >>> global-projects-committee at lists.owasp.org; OWASP Foundation Board
> >List
> >>> *Subject:* Re: Secure coding guide review
> >>>
> >>> I think the change in revision numbers got us off course.
> >>>
> >>> Paulo, at this point, I think he was moving from 1.0(unstable) to
> >1.1
> >>> being a stable version of 1.0
> >>>
> >>> It also seems that the second reviewer needs to provide more robust
> >>> input (me).
> >>>
> >>> Are there any requirements that are keeping the current version of
> >the
> >>> document from becoming stable?
> >>>
> >>> -Brad Causey
> >>> CISSP, MCSE, C|EH, CIFI, CGSP
> >>>
> >>> http://www.owasp.org
> >>> --
> >>> "Si vis pacem, para bellum"
> >>> --
> >>>
> >>> On Thu, Sep 9, 2010 at 12:00 PM, Paulo Coimbra
> ><paulo.coimbra at owasp.org
> >>> <mailto:paulo.coimbra at owasp.org>> wrote:
> >>>
> >>> Keith,
> >>>
> >>> I am only looking for a path that simultaneously makes sense for
> >>> everybody, is in accordance with our assessment criteria and
> >assures a
> >>> historical record of what was done through the release development
> >and
> >>> review process.
> >>>
> >>> In this context, it seems to me that we could keep all the
> >questions
> >>> raised by both ‘formal’ reviewers linked with the version 1
> >document
> >>> which has generated them and explains an Alpha status rating.
> >>>
> >>> Conversely, we could also link the improved document version (v1.1)
> >with
> >>> the next review to show why it is (as we expect it will be) rated
> >as
> >>> Stable release.
> >>>
> >>> I believe the options above can assure a clear approach. However,
> >as far
> >>> as I understand the situation, the assessment criteria, which is
> >still
> >>> under improvement, is only a set of guidelines anyhow subjected to
> >>> different interpretations and, being so, if you think we should
> >proceed
> >>> differently, please let us know what you propose for us to think
> >about
> >>> and discuss.
> >>>
> >>> Many thanks, best regards,
> >>>
> >>> Paulo Coimbra,
> >>>
> >>> OWASP Project Manager <https://www.owasp.org/index.php/Main_Page>
> >>>
> >>> *From:* Turpin, Keith N [mailto:keith.n.turpin at boeing.com
> >>> <mailto:keith.n.turpin at boeing.com>]
> >>> *Sent:* quinta-feira, 9 de Setembro de 2010 17:34
> >>> *To:* Paulo Coimbra
> >>>
> >>>
> >>> *Cc:* 'Ludovic Petit'; bradcausey at owasp.org
> >>> <mailto:bradcausey at owasp.org>; 'Matt Tesauro'; 'Jeff Williams';
> >>> jim.manico at owasp.org <mailto:jim.manico at owasp.org>;
> >>> JMcGovern at virtusa.com <mailto:JMcGovern at virtusa.com>;
> >>> michael.scovetta at gmail.com <mailto:michael.scovetta at gmail.com>;
> >>> owasp-leaders at lists.owasp.org <mailto:owasp-
> >leaders at lists.owasp.org>;
> >>> global-projects-committee at lists.owasp.org
> >>> <mailto:global-projects-committee at lists.owasp.org>; 'OWASP
> >Foundation
> >>> Board List'
> >>> *Subject:* RE: Secure coding guide review
> >>>
> >>> I'm okay with this approach, however the changes from 1 to 1.1 were
> >to
> >>> address the reviewer feedback, plus that of a couple other leaders.
> >>>
> >>> I corresponded with the reviewers to get agreement that I had
> >addressed
> >>> their concerns and I believe both have already agreed that I did.
> >>>
> >>> So if you really prefer that they officially review the 1.1
> >release, I
> >>> guess we can go that route, but I looked at 1.1 as the real first
> >>> release and only rolled from 1 to 1.1 to ensure it was clear which
> >was
> >>> the post review version.
> >>>
> >>> */Keith Turpin/*/ //CISSP, CSSLP/
> >>> /The Boeing Company/
> >>> /Information Security/
> >>> /(206) 683-9667/
> >>>
> >>> Email Notice: This communication may contain sensitive information.
> >If
> >>> you are not the intended recipient, or believe that you have
> >received
> >>> this communication in error, do not print, copy, retransmit,
> >disseminate
> >>> or otherwise use the information. Respond to the sender that you
> >have
> >>> received this e-mail in error, and delete the copy you received.
> >>>
> >>> -------------------------------------------------------------------
> >-----
> >>>
> >>> *From:* Paulo Coimbra [mailto:paulo.coimbra at owasp.org
> >>> <mailto:paulo.coimbra at owasp.org>]
> >>> *Sent:* Thursday, September 09, 2010 9:09 AM
> >>> *To:* Turpin, Keith N
> >>> *Cc:* 'Ludovic Petit'; bradcausey at owasp.org
> >>> <mailto:bradcausey at owasp.org>; 'Matt Tesauro'; 'Jeff Williams';
> >>> jim.manico at owasp.org <mailto:jim.manico at owasp.org>;
> >>> JMcGovern at virtusa.com <mailto:JMcGovern at virtusa.com>;
> >>> michael.scovetta at gmail.com <mailto:michael.scovetta at gmail.com>;
> >>> owasp-leaders at lists.owasp.org <mailto:owasp-
> >leaders at lists.owasp.org>;
> >>> global-projects-committee at lists.owasp.org
> >>> <mailto:global-projects-committee at lists.owasp.org>; 'OWASP
> >Foundation
> >>> Board List'
> >>> *Subject:* RE: Secure coding guide review
> >>>
> >>> Keith (and GPC),
> >>>
> >>> All this work of pushing this release forward through the
> >assessment
> >>> process has honestly been a remarkable experience. You have shown
> >both a
> >>> wonderful capacity of work and a not less outstanding patience to
> >deal
> >>> with all my interminable requests. At last but not the least, I’d
> >like
> >>> to point out your capacity to quickly engage with OWASP community
> >and to
> >>> listen to and to incorporate feedback. Being so, for all of the
> >above,
> >>> it has been a pleasure and I thank you.
> >>>
> >>> http://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-
> >_Quick_Reference_Guide#tab=Project_About
> >>>
> >>>
> >>> As for the next phases, what I propose is as follows:
> >>>
> >>> 1. *We rate the SCP v1 as a Alpha release* since the first
> >reviewer,
> >>> when asked if ‘[there were] any missing sections critical enough to
> >keep
> >>> the document at an alpha quality level’, has stated ‘The document
> >>> fulfils the aim of being a Quick Reference Guide, but my personal
> >>> feeling is that something is missing (...)’.
> >>>
> >>> * *
> >>>
> >>>
> >http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_
> >-_Quick_Reference_Guide/Releases/SCP_v1/Assessment#tab=First_Reviewer
> >>>
> >>> * *
> >>>
> >>> 2. The Second Reviewer documents a bit better the contributions
> >that he
> >>> has given to improve the SCP v1.
> >>>
> >>>
> >http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_
> >-_Quick_Reference_Guide/Releases/SCP_v1/Assessment#tab=Second_Reviewer
> >>>
> >>> * *
> >>>
> >>> 3. *We begin right now the process of assessing the SCP v1.1. *– It
> >>> seems you will have not any difficulty to have it rated as a Stable
> >>> release since you have taken into account all the received
> >feedback.
> >>>
> >>> * *
> >>>
> >>>
> >http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_
> >-_Quick_Reference_Guide/Releases/SCP_v1.1
> >>>
> >>>
> >>>
> >http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_
> >-_Quick_Reference_Guide/Releases/SCP_v1.1/Assessment
> >>>
> >>>
> >>> I apologise if I sound bureaucratic. I’ve tried to balance your
> >>> understandable willingness of presenting a Stable version of your
> >>> document at our conference with our need to properly document the
> >>> assessment process.
> >>>
> >>> Please let me know whether or not you (and the GPC) agree with the
> >>> suggested path for us to follow.
> >>>
> >>> Many thanks, best regards,
> >>>
> >>> Paulo Coimbra,
> >>>
> >>> OWASP Project Manager <https://www.owasp.org/index.php/Main_Page>
> >>>
> >>> *From:* Turpin, Keith N [mailto:keith.n.turpin at boeing.com
> >>> <mailto:keith.n.turpin at boeing.com>]
> >>> *Sent:* quinta-feira, 9 de Setembro de 2010 01:28
> >>> *To:* Paulo Coimbra
> >>> *Subject:* RE: Secure coding guide review
> >>>
> >>> Thanks for getting back to me. I am sorry to bug you at such a bad
> >hour.
> >>>
> >>> Brad just completed his form and I will do mine now.
> >>>
> >>> As to the leaders comments:
> >>>
> >>> - The HTML entity encoding statement has been revised per another
> >>> reviewer's similar input.
> >>>
> >>> - I corresponded with Jeff about the correlation to the ASVS
> >project and
> >>> we agreed that spending some time bringing them into closer
> >alignment
> >>> would be valuable, but they do not conflict with each other at
> >present
> >>> and Jeff did not actually have time to review the coding guide. His
> >>> concern was based on what he perceived as a potential overlap.
> >While
> >>> some exists, I do address that in the guide and talk about where
> >the
> >>> guide fits in with the ASVS as well as other existing OWASP
> >projects.
> >>>
> >>> Ideally I think at some point a comprehensive standardization
> >effort
> >>> among projects will be needed to map out each project's role in the
> >>> overall OWASP application security project framework and ensure
> >that
> >>> they all relate well to each other, so that someone trying too
> >build a
> >>> secure development program using the different projects can
> >basically
> >>> plug and play them into that program and have it all work. A
> >>> standardization effort like this takes a lot of work and
> >significantly
> >>> slows the creation process, so it may be too early for that, but it
> >will
> >>> eventually be needed.
> >>>
> >>> */Keith Turpin/*/ //CISSP, CSSLP/
> >>> /The Boeing Company/
> >>> /Information Security/
> >>> /(206) 683-9667/
> >>>
> >>> Email Notice: This communication may contain sensitive information.
> >If
> >>> you are not the intended recipient, or believe that you have
> >received
> >>> this communication in error, do not print, copy, retransmit,
> >disseminate
> >>> or otherwise use the information. Respond to the sender that you
> >have
> >>> received this e-mail in error, and delete the copy you received.
> >>>
> >>> -------------------------------------------------------------------
> >-----
> >>>
> >>> *From:* Paulo Coimbra [mailto:paulo.coimbra at owasp.org
> >>> <mailto:paulo.coimbra at owasp.org>]
> >>> *Sent:* Wednesday, September 08, 2010 5:05 PM
> >>> *To:* Turpin, Keith N
> >>> *Cc:* 'Ludovic Petit'; bradcausey at owasp.org
> >>> <mailto:bradcausey at owasp.org>; 'Jason Li'; 'OWASP Foundation Board
> >List'
> >>> *Subject:* RE: Secure coding guide review
> >>>
> >>> Hello Keith,
> >>>
> >>> From where I am answering you, Portugal, it’s already late - half
> >hour
> >>> after midnight - and so I am obliged to be concise. Tomorrow I will
> >>> respond you thoroughly.
> >>>
> >>> Being so and firstly, regarding the assessment’s formal process
> >itself,
> >>> please note that all the three reviews must be uploaded and so we
> >still
> >>> need yours and Brad’s.
> >>>
> >>>
> >http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_
> >-
> >_Quick_Reference_Guide/Releases/SCP_v1/Assessment#tab=Project_Leader_f
> >or_this_Release
> >>>
> >>>
> >http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_
> >-_Quick_Reference_Guide/Releases/SCP_v1/Assessment#tab=Second_Reviewer
> >>>
> >>>
> >>> Secondly, as for rating the release as Stable one, in operational
> >terms,
> >>> it seems to me it can be done as soon as the First and Second
> >Reviewers
> >>> agree on doing that.
> >>>
> >>> However, since we have received quite a strong feedback through the
> >>> leaders’ mailing list, may I ask if you have already addressed all
> >the
> >>> relevant pointed out issues, e.g. the following ones?
> >>>
> >>> * *
> >>>
> >>> - ‘One quick note: this guide gives dangerous advice (HTML Entity
> >Encode
> >>> all data sent to the client). It should advise contextual
> >encoding´- Jim
> >>> Manico,
> >>>
> >>> * *
> >>>
> >>> - ‘I suggest a review against the guides and ASVS would productive’
> >–
> >>> Jeff Williams,
> >>>
> >>> * *
> >>>
> >>> I thank all your efforts, patience and diligence. I contact you
> >again,
> >>> first thing on the morning.
> >>>
> >>> Regards,
> >>>
> >>> Paulo Coimbra,
> >>>
> >>> OWASP Project Manager <https://www.owasp.org/index.php/Main_Page>
> >>>
> >>> *From:* Turpin, Keith N [mailto:keith.n.turpin at boeing.com
> >>> <mailto:keith.n.turpin at boeing.com>]
> >>> *Sent:* quarta-feira, 8 de Setembro de 2010 23:40
> >>> *To:* Paulo Coimbra
> >>> *Subject:* Secure coding guide review
> >>>
> >>> Paulo
> >>>
> >>> I completed reviewing Ludovic Petit's feedback, which was mostly
> >about
> >>> the opening structure of the document, and shared an updated
> >version of
> >>> the document with him. I believe he supported moving to Release
> >even
> >>> before I incorporated his input and he liked the changes.
> >>>
> >>> I also reviewed all of the feedback from Brad Causey and sent him
> >an
> >>> updated version for final review. I asked him to contact you if he
> >>> approved the move to Release or if he was unsure how to record his
> >review.
> >>>
> >>> Although not part of the formal review, I did get quite a bit of
> >>> feedback, mostly minor wording changes or typo corrections, from
> >Michael
> >>> Scovetta and incorporated most of that as well.
> >>>
> >>> I am working on creating an updated cross linked PDF file for the
> >site
> >>> now, pending Brad's buy-off.
> >>>
> >>> Assuming Brad likes what he sees, will it be possible to move this
> >>> project to Release before I present on it tomorrow afternoon. I
> >will
> >>> send you the updated versions of the documents as soon as I hear
> >from
> >>> Brad or just prior to the VIP party if I don't hear from him. I
> >would
> >>> want to get the new versions posted even if the project reviews
> >can't
> >>> all be wrapped up in time.
> >>>
> >>> I am rolling the document version to 1.1, in case anyone already
> >>> downloaded the originally posted version.
> >>>
> >>> Also, please add the three gentleman that provided reviews as
> >>> contributors to the project. Thank you for all your help.
> >>>
> >>> Keith Turpin CISSP, CSSLP
> >>>
> >>> The Boeing Company
> >>>
> >>> Information Security
> >>>
> >>> (206) 683-9667
> >>>
> >>> Email Notice: This communication may contain sensitive information.
> >If
> >>> you are not the intended recipient, or believe that you have
> >received
> >>> this communication in error, do not print, copy, retransmit,
> >disseminate
> >>> or otherwise use the information. Respond to the sender that you
> >have
> >>> received this e-mail in error, and delete the copy you received.
> >>>



More information about the OWASP-Leaders mailing list