[Owasp-leaders] [SAMM] Fwd: ISO/IEC 27034

Jonathan Marcil jonathan.marcil at owasp.org
Sat Aug 17 00:10:33 UTC 2013

Hi Colin,

I think your questioning is really pertinent and I'm forwarding this to
owasp-leaders for general information.

See below for my replies.

On 2013-08-16 02:44, Colin Watson wrote:
> Jonathan
> Congratulations.  It is important to engage, but I was wondering how
> the issue of "open and free" has been considered. This has held me
> back previously from involvement with some third parties "on behalf of
> OWASP". For example:
Please note that it was not really an involvement with OWASP to
contribute directly with an ISO standard.

27034 is somewhat special and defines a "communication protocol" that
uses XML with a Schema in order to propose a structured way to describe
Application Security Controls (ASCs).

The main editor of the standard and me will propose and lead an OWASP
Project that will produce XML with OWASP's content and references. It
will be a way for organizations using 27034 to implement OWASP knowledge
into their security controls.

I do think that this standard is trying to push an "open" way of
exchanging information with the ASCs and of course all OWASP related
stuff will be freely available using that way (XML files).

> - Will you upload any supporting information to the wiki, or point to
> where they are available?
A wiki project page will be made as soon as I have the time to pass
trough the process of an OWASP project creation (it is my first time). I
expect it to be by the end of August.

> - Will the meeting(s) be available publicly to listen to, or will
> there be a recording available for OWASP afterwards?
Not that I know of. And if I might add, the whole 20+ hours of
discussions where not interesting in my opinion for people not
participating on site. Also, I understood that it was not a real
official ISO meeting so official decisions can comes out of it.

That said, we will document in the wiki page everything that is needed
to understand the project's XML usage and why we are doing this.

Just to be clear again, I was not here to officially represent OWASP but
rather to see if making an OWASP project was a good idea, to learn about
the standard and to bring my knowledge (of OWASP and Application
Security) to the table.

> - Will the standard be free to OWASP (members)?
No. But since the OWASP project will actually produce ASCs, these will
be available for free for any organization that wishes to implement the
ISO standard. I think that the standard, if it's well adopted, will
probably lead to an ecosystem of ASCs and OWASP's ASCs will be a free

That's one of the reason I mentioned that my approach is not really like
SAMM, because I'm really just looking at security control from an 27034
point of view, so the standard itself is not mandatory to even
participate in the project : you just have to understand the XML structure.

> ISO 27034 Part 1 doesn't mention OWASP at all, at any point or in any reference.
I don't think part 1 will ever mention OWASP and will not mention any
other "ASCs providers" since this is not a direct participation in the
standard itself.

The bottom line is that there will be an OWASP project that will deliver
in an open way and for free ASCs in XML format that organizations will
be able to use with 27034. Theses files will not be part of the standard
but will use the schema provided by it.

> Colin


- Jonathan

More information about the OWASP-Leaders mailing list