[Owasp-leaders] [GPC] Secure coding guide review

Jason Li jason.li at owasp.org
Tue Sep 14 10:52:06 EDT 2010


Let's add this to our meeting agenda for the GPC conf call Monday.

-Jason

On Tue, Sep 14, 2010 at 10:34 AM, Paulo Coimbra <paulo.coimbra at owasp.org>wrote:

> Aye! It makes senses to me even though I haven't figured out yet a way to
> implement Matt's idea. Who will try the first pass?
>
> Paulo Coimbra,
> OWASP Project Manager
>
>
> > >-----Original Message-----
> > >From: Jim Manico [mailto:jim.manico at owasp.org]
> > >Sent: terça-feira, 14 de Setembro de 2010 03:58
> > >To: Matt Tesauro
> > >Cc: Paulo Coimbra; bradcausey at owasp.org; Turpin, Keith N; Ludovic
> > >Petit; Matt Tesauro; Jeff Williams; JMcGovern at virtusa.com;
> > >michael.scovetta at gmail.com; owasp-leaders at lists.owasp.org; global-
> > >projects-committee at lists.owasp.org; OWASP Foundation Board List
> > >Subject: Re: Secure coding guide review
> > >
> > >Aye! We need be more Agile.
> > >
> > >***
> > >
> > >And in general I'd like to get a lot more of Kevin's ideas in the mix.
> > >He has opinions about ASVS that could make it a lot better, and more.
> > >Let's encourage his good behavior!
> > >
> > >-Jim Manico
> > >http://manico.net
> > >
> > >On Sep 13, 2010, at 9:26 PM, Matt Tesauro <mtesauro at gmail.com> wrote:
> > >
> > >> I'd like to suggest a middle path.  And apologies for replying so
> > >late in the game, I'm just now catching up on all the email I got
> > >during AppSec US.
> > >>
> > >> It seems to me that we may be inadvertently punishing good behavior.
> > >Here's my point:
> > >>
> > >> We have a case where a project lead, got reviewed (and got a ton of
> > >additional comments), took all that feedback and made the project
> > >better.  This is definitely a win for OWASP and the project.
> > >>
> > >> However, if we do a full re-review, we'll be rewarding that good
> > >behavior by providing extra work to achieve the end goal (stable
> > >release in this case).
> > >>
> > >> I do see the value in getting the reviewers to look at the new
> > >version (1.1 in this case) but perhaps we need a lighter weight
> > >process.
> > >>
> > >> ** My proposed change to AC v2 **
> > >>
> > >> In the case that a project leader updates a project to address the
> > >feedback provided by reviewers, the following steps should apply:
> > >> (1) The project leader will inform the reviewers of the update and
> > >ask them to have a second look to ensure the points they raised were
> > >addressed.
> > >> (2) Each reviewer will append to items to their review [1]
> > >>   (2.1) A yes/no question which says they have reviewed the updated
> > >item and it addressed the issues raised in their initial review.
> > >>   (2.2) A space for them to leave any comments about their re-
> > >review.
> > >>
> > >> ** end of changes **
> > >>
> > >> I think this will balance the need for OWASP to have fully reviewed
> > >projects and the additional work we ask project leaders and reviewers
> > >to undertake.
> > >>
> > >> All in favor say, "Aye"
> > >>
> > >> [1] This will require a minor change to the template used for
> > >reviews going forward.  They two items can be added at the bottom of
> > >the reviewer section.
> > >>
> > >> BTW, in retrospect, this was a case which I didn't anticipate when I
> > >was authoring AC v2.  I fully admit that I missed this and am actually
> > >quite glad we've both found the gap and a good method to bridge it in
> > >future.
> > >>
> > >> --
> > >> -- Matt Tesauro
> > >> OWASP Board Member
> > >> OWASP WTE Project Lead
> > >> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> > >> http://AppSecLive.org - Community and Download site
> > >>
> > >> On 9/9/10 3:58 PM, Paulo Coimbra wrote:
> > >>> Brad et al,
> > >>>
> > >>> From what I’ve understood there is nothing keeping the version 1.1
> > >from
> > >>> being rated as Stable and thus I propose that project leader and
> > >both
> > >>> reviewers answer again to the assessment inquiry to say so if they
> > >want to.
> > >>>
> > >>> Also, my intention was not for me to ask for more robust input but
> > >>> solely for better documenting the input you have supplied and was
> > >used
> > >>> by Keith as he has mentioned.
> > >>>
> > >>> As I’ve said before I understand that there are of course other
> > >ways to
> > >>> push forward the historical registration of this process and I am
> > >>> obviously open to them all, if not for anything else, because I am
> > >here
> > >>> to support project leaders’ work and GPC members’ decisions ;)
> > >>>
> > >>> Thanks,
> > >>>
> > >>> Paulo Coimbra,
> > >>>
> > >>> OWASP Project Manager <https://www.owasp.org/index.php/Main_Page>
> > >>>
> > >>> *From:* bradcausey at gmail.com [mailto:bradcausey at gmail.com] *On
> > >Behalf Of
> > >>> *Brad Causey
> > >>> *Sent:* quinta-feira, 9 de Setembro de 2010 21:17
> > >>> *To:* Paulo Coimbra
> > >>> *Cc:* Turpin, Keith N; Ludovic Petit; Matt Tesauro; Jeff Williams;
> > >>> jim.manico at owasp.org; JMcGovern at virtusa.com;
> > >michael.scovetta at gmail.com;
> > >>> owasp-leaders at lists.owasp.org;
> > >>> global-projects-committee at lists.owasp.org; OWASP Foundation Board
> > >List
> > >>> *Subject:* Re: Secure coding guide review
> > >>>
> > >>> I think the change in revision numbers got us off course.
> > >>>
> > >>> Paulo, at this point, I think he was moving from 1.0(unstable) to
> > >1.1
> > >>> being a stable version of 1.0
> > >>>
> > >>> It also seems that the second reviewer needs to provide more robust
> > >>> input (me).
> > >>>
> > >>> Are there any requirements that are keeping the current version of
> > >the
> > >>> document from becoming stable?
> > >>>
> > >>> -Brad Causey
> > >>> CISSP, MCSE, C|EH, CIFI, CGSP
> > >>>
> > >>> http://www.owasp.org
> > >>> --
> > >>> "Si vis pacem, para bellum"
> > >>> --
> > >>>
> > >>> On Thu, Sep 9, 2010 at 12:00 PM, Paulo Coimbra
> > ><paulo.coimbra at owasp.org
> > >>> <mailto:paulo.coimbra at owasp.org>> wrote:
> > >>>
> > >>> Keith,
> > >>>
> > >>> I am only looking for a path that simultaneously makes sense for
> > >>> everybody, is in accordance with our assessment criteria and
> > >assures a
> > >>> historical record of what was done through the release development
> > >and
> > >>> review process.
> > >>>
> > >>> In this context, it seems to me that we could keep all the
> > >questions
> > >>> raised by both ‘formal’ reviewers linked with the version 1
> > >document
> > >>> which has generated them and explains an Alpha status rating.
> > >>>
> > >>> Conversely, we could also link the improved document version (v1.1)
> > >with
> > >>> the next review to show why it is (as we expect it will be) rated
> > >as
> > >>> Stable release.
> > >>>
> > >>> I believe the options above can assure a clear approach. However,
> > >as far
> > >>> as I understand the situation, the assessment criteria, which is
> > >still
> > >>> under improvement, is only a set of guidelines anyhow subjected to
> > >>> different interpretations and, being so, if you think we should
> > >proceed
> > >>> differently, please let us know what you propose for us to think
> > >about
> > >>> and discuss.
> > >>>
> > >>> Many thanks, best regards,
> > >>>
> > >>> Paulo Coimbra,
> > >>>
> > >>> OWASP Project Manager <https://www.owasp.org/index.php/Main_Page>
> > >>>
> > >>> *From:* Turpin, Keith N [mailto:keith.n.turpin at boeing.com
> > >>> <mailto:keith.n.turpin at boeing.com>]
> > >>> *Sent:* quinta-feira, 9 de Setembro de 2010 17:34
> > >>> *To:* Paulo Coimbra
> > >>>
> > >>>
> > >>> *Cc:* 'Ludovic Petit'; bradcausey at owasp.org
> > >>> <mailto:bradcausey at owasp.org>; 'Matt Tesauro'; 'Jeff Williams';
> > >>> jim.manico at owasp.org <mailto:jim.manico at owasp.org>;
> > >>> JMcGovern at virtusa.com <mailto:JMcGovern at virtusa.com>;
> > >>> michael.scovetta at gmail.com <mailto:michael.scovetta at gmail.com>;
> > >>> owasp-leaders at lists.owasp.org <mailto:owasp-
> > >leaders at lists.owasp.org>;
> > >>> global-projects-committee at lists.owasp.org
> > >>> <mailto:global-projects-committee at lists.owasp.org>; 'OWASP
> > >Foundation
> > >>> Board List'
> > >>> *Subject:* RE: Secure coding guide review
> > >>>
> > >>> I'm okay with this approach, however the changes from 1 to 1.1 were
> > >to
> > >>> address the reviewer feedback, plus that of a couple other leaders.
> > >>>
> > >>> I corresponded with the reviewers to get agreement that I had
> > >addressed
> > >>> their concerns and I believe both have already agreed that I did.
> > >>>
> > >>> So if you really prefer that they officially review the 1.1
> > >release, I
> > >>> guess we can go that route, but I looked at 1.1 as the real first
> > >>> release and only rolled from 1 to 1.1 to ensure it was clear which
> > >was
> > >>> the post review version.
> > >>>
> > >>> */Keith Turpin/*/ //CISSP, CSSLP/
> > >>> /The Boeing Company/
> > >>> /Information Security/
> > >>> /(206) 683-9667/
> > >>>
> > >>> Email Notice: This communication may contain sensitive information.
> > >If
> > >>> you are not the intended recipient, or believe that you have
> > >received
> > >>> this communication in error, do not print, copy, retransmit,
> > >disseminate
> > >>> or otherwise use the information. Respond to the sender that you
> > >have
> > >>> received this e-mail in error, and delete the copy you received.
> > >>>
> > >>> -------------------------------------------------------------------
> > >-----
> > >>>
> > >>> *From:* Paulo Coimbra [mailto:paulo.coimbra at owasp.org
> > >>> <mailto:paulo.coimbra at owasp.org>]
> > >>> *Sent:* Thursday, September 09, 2010 9:09 AM
> > >>> *To:* Turpin, Keith N
> > >>> *Cc:* 'Ludovic Petit'; bradcausey at owasp.org
> > >>> <mailto:bradcausey at owasp.org>; 'Matt Tesauro'; 'Jeff Williams';
> > >>> jim.manico at owasp.org <mailto:jim.manico at owasp.org>;
> > >>> JMcGovern at virtusa.com <mailto:JMcGovern at virtusa.com>;
> > >>> michael.scovetta at gmail.com <mailto:michael.scovetta at gmail.com>;
> > >>> owasp-leaders at lists.owasp.org <mailto:owasp-
> > >leaders at lists.owasp.org>;
> > >>> global-projects-committee at lists.owasp.org
> > >>> <mailto:global-projects-committee at lists.owasp.org>; 'OWASP
> > >Foundation
> > >>> Board List'
> > >>> *Subject:* RE: Secure coding guide review
> > >>>
> > >>> Keith (and GPC),
> > >>>
> > >>> All this work of pushing this release forward through the
> > >assessment
> > >>> process has honestly been a remarkable experience. You have shown
> > >both a
> > >>> wonderful capacity of work and a not less outstanding patience to
> > >deal
> > >>> with all my interminable requests. At last but not the least, I’d
> > >like
> > >>> to point out your capacity to quickly engage with OWASP community
> > >and to
> > >>> listen to and to incorporate feedback. Being so, for all of the
> > >above,
> > >>> it has been a pleasure and I thank you.
> > >>>
> > >>> http://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-
> > >_Quick_Reference_Guide#tab=Project_About
> > >>>
> > >>>
> > >>> As for the next phases, what I propose is as follows:
> > >>>
> > >>> 1. *We rate the SCP v1 as a Alpha release* since the first
> > >reviewer,
> > >>> when asked if ‘[there were] any missing sections critical enough to
> > >keep
> > >>> the document at an alpha quality level’, has stated ‘The document
> > >>> fulfils the aim of being a Quick Reference Guide, but my personal
> > >>> feeling is that something is missing (...)’.
> > >>>
> > >>> * *
> > >>>
> > >>>
> > >http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_
> > >-_Quick_Reference_Guide/Releases/SCP_v1/Assessment#tab=First_Reviewer
> > >>>
> > >>> * *
> > >>>
> > >>> 2. The Second Reviewer documents a bit better the contributions
> > >that he
> > >>> has given to improve the SCP v1.
> > >>>
> > >>>
> > >http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_
> > >-_Quick_Reference_Guide/Releases/SCP_v1/Assessment#tab=Second_Reviewer
> > >>>
> > >>> * *
> > >>>
> > >>> 3. *We begin right now the process of assessing the SCP v1.1. *– It
> > >>> seems you will have not any difficulty to have it rated as a Stable
> > >>> release since you have taken into account all the received
> > >feedback.
> > >>>
> > >>> * *
> > >>>
> > >>>
> > >http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_
> > >-_Quick_Reference_Guide/Releases/SCP_v1.1
> > >>>
> > >>>
> > >>>
> > >http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_
> > >-_Quick_Reference_Guide/Releases/SCP_v1.1/Assessment
> > >>>
> > >>>
> > >>> I apologise if I sound bureaucratic. I’ve tried to balance your
> > >>> understandable willingness of presenting a Stable version of your
> > >>> document at our conference with our need to properly document the
> > >>> assessment process.
> > >>>
> > >>> Please let me know whether or not you (and the GPC) agree with the
> > >>> suggested path for us to follow.
> > >>>
> > >>> Many thanks, best regards,
> > >>>
> > >>> Paulo Coimbra,
> > >>>
> > >>> OWASP Project Manager <https://www.owasp.org/index.php/Main_Page>
> > >>>
> > >>> *From:* Turpin, Keith N [mailto:keith.n.turpin at boeing.com
> > >>> <mailto:keith.n.turpin at boeing.com>]
> > >>> *Sent:* quinta-feira, 9 de Setembro de 2010 01:28
> > >>> *To:* Paulo Coimbra
> > >>> *Subject:* RE: Secure coding guide review
> > >>>
> > >>> Thanks for getting back to me. I am sorry to bug you at such a bad
> > >hour.
> > >>>
> > >>> Brad just completed his form and I will do mine now.
> > >>>
> > >>> As to the leaders comments:
> > >>>
> > >>> - The HTML entity encoding statement has been revised per another
> > >>> reviewer's similar input.
> > >>>
> > >>> - I corresponded with Jeff about the correlation to the ASVS
> > >project and
> > >>> we agreed that spending some time bringing them into closer
> > >alignment
> > >>> would be valuable, but they do not conflict with each other at
> > >present
> > >>> and Jeff did not actually have time to review the coding guide. His
> > >>> concern was based on what he perceived as a potential overlap.
> > >While
> > >>> some exists, I do address that in the guide and talk about where
> > >the
> > >>> guide fits in with the ASVS as well as other existing OWASP
> > >projects.
> > >>>
> > >>> Ideally I think at some point a comprehensive standardization
> > >effort
> > >>> among projects will be needed to map out each project's role in the
> > >>> overall OWASP application security project framework and ensure
> > >that
> > >>> they all relate well to each other, so that someone trying too
> > >build a
> > >>> secure development program using the different projects can
> > >basically
> > >>> plug and play them into that program and have it all work. A
> > >>> standardization effort like this takes a lot of work and
> > >significantly
> > >>> slows the creation process, so it may be too early for that, but it
> > >will
> > >>> eventually be needed.
> > >>>
> > >>> */Keith Turpin/*/ //CISSP, CSSLP/
> > >>> /The Boeing Company/
> > >>> /Information Security/
> > >>> /(206) 683-9667/
> > >>>
> > >>> Email Notice: This communication may contain sensitive information.
> > >If
> > >>> you are not the intended recipient, or believe that you have
> > >received
> > >>> this communication in error, do not print, copy, retransmit,
> > >disseminate
> > >>> or otherwise use the information. Respond to the sender that you
> > >have
> > >>> received this e-mail in error, and delete the copy you received.
> > >>>
> > >>> -------------------------------------------------------------------
> > >-----
> > >>>
> > >>> *From:* Paulo Coimbra [mailto:paulo.coimbra at owasp.org
> > >>> <mailto:paulo.coimbra at owasp.org>]
> > >>> *Sent:* Wednesday, September 08, 2010 5:05 PM
> > >>> *To:* Turpin, Keith N
> > >>> *Cc:* 'Ludovic Petit'; bradcausey at owasp.org
> > >>> <mailto:bradcausey at owasp.org>; 'Jason Li'; 'OWASP Foundation Board
> > >List'
> > >>> *Subject:* RE: Secure coding guide review
> > >>>
> > >>> Hello Keith,
> > >>>
> > >>> From where I am answering you, Portugal, it’s already late - half
> > >hour
> > >>> after midnight - and so I am obliged to be concise. Tomorrow I will
> > >>> respond you thoroughly.
> > >>>
> > >>> Being so and firstly, regarding the assessment’s formal process
> > >itself,
> > >>> please note that all the three reviews must be uploaded and so we
> > >still
> > >>> need yours and Brad’s.
> > >>>
> > >>>
> > >http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_
> > >-
> > >_Quick_Reference_Guide/Releases/SCP_v1/Assessment#tab=Project_Leader_f
> > >or_this_Release
> > >>>
> > >>>
> > >http://www.owasp.org/index.php/Projects/OWASP_Secure_Coding_Practices_
> > >-_Quick_Reference_Guide/Releases/SCP_v1/Assessment#tab=Second_Reviewer
> > >>>
> > >>>
> > >>> Secondly, as for rating the release as Stable one, in operational
> > >terms,
> > >>> it seems to me it can be done as soon as the First and Second
> > >Reviewers
> > >>> agree on doing that.
> > >>>
> > >>> However, since we have received quite a strong feedback through the
> > >>> leaders’ mailing list, may I ask if you have already addressed all
> > >the
> > >>> relevant pointed out issues, e.g. the following ones?
> > >>>
> > >>> * *
> > >>>
> > >>> - ‘One quick note: this guide gives dangerous advice (HTML Entity
> > >Encode
> > >>> all data sent to the client). It should advise contextual
> > >encoding´- Jim
> > >>> Manico,
> > >>>
> > >>> * *
> > >>>
> > >>> - ‘I suggest a review against the guides and ASVS would productive’
> > >–
> > >>> Jeff Williams,
> > >>>
> > >>> * *
> > >>>
> > >>> I thank all your efforts, patience and diligence. I contact you
> > >again,
> > >>> first thing on the morning.
> > >>>
> > >>> Regards,
> > >>>
> > >>> Paulo Coimbra,
> > >>>
> > >>> OWASP Project Manager <https://www.owasp.org/index.php/Main_Page>
> > >>>
> > >>> *From:* Turpin, Keith N [mailto:keith.n.turpin at boeing.com
> > >>> <mailto:keith.n.turpin at boeing.com>]
> > >>> *Sent:* quarta-feira, 8 de Setembro de 2010 23:40
> > >>> *To:* Paulo Coimbra
> > >>> *Subject:* Secure coding guide review
> > >>>
> > >>> Paulo
> > >>>
> > >>> I completed reviewing Ludovic Petit's feedback, which was mostly
> > >about
> > >>> the opening structure of the document, and shared an updated
> > >version of
> > >>> the document with him. I believe he supported moving to Release
> > >even
> > >>> before I incorporated his input and he liked the changes.
> > >>>
> > >>> I also reviewed all of the feedback from Brad Causey and sent him
> > >an
> > >>> updated version for final review. I asked him to contact you if he
> > >>> approved the move to Release or if he was unsure how to record his
> > >review.
> > >>>
> > >>> Although not part of the formal review, I did get quite a bit of
> > >>> feedback, mostly minor wording changes or typo corrections, from
> > >Michael
> > >>> Scovetta and incorporated most of that as well.
> > >>>
> > >>> I am working on creating an updated cross linked PDF file for the
> > >site
> > >>> now, pending Brad's buy-off.
> > >>>
> > >>> Assuming Brad likes what he sees, will it be possible to move this
> > >>> project to Release before I present on it tomorrow afternoon. I
> > >will
> > >>> send you the updated versions of the documents as soon as I hear
> > >from
> > >>> Brad or just prior to the VIP party if I don't hear from him. I
> > >would
> > >>> want to get the new versions posted even if the project reviews
> > >can't
> > >>> all be wrapped up in time.
> > >>>
> > >>> I am rolling the document version to 1.1, in case anyone already
> > >>> downloaded the originally posted version.
> > >>>
> > >>> Also, please add the three gentleman that provided reviews as
> > >>> contributors to the project. Thank you for all your help.
> > >>>
> > >>> Keith Turpin CISSP, CSSLP
> > >>>
> > >>> The Boeing Company
> > >>>
> > >>> Information Security
> > >>>
> > >>> (206) 683-9667
> > >>>
> > >>> Email Notice: This communication may contain sensitive information.
> > >If
> > >>> you are not the intended recipient, or believe that you have
> > >received
> > >>> this communication in error, do not print, copy, retransmit,
> > >disseminate
> > >>> or otherwise use the information. Respond to the sender that you
> > >have
> > >>> received this e-mail in error, and delete the copy you received.
> > >>>
>
> _______________________________________________
> Global-projects-committee mailing list
> Global-projects-committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global-projects-committee
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100914/8a0bea42/attachment-0001.html 


More information about the OWASP-Leaders mailing list