[Owasp-leaders] [SAMM] Fwd: ISO/IEC 27034

Colin Watson colin.watson at owasp.org
Sun Aug 18 08:50:02 UTC 2013


Thank you for your reply.  What raised my concern was the statement

   "have been invited to represent OWASP at an ISO/IEC 27034 ...
meeting by ... the main project editor."

But I think you have clarified this isn't OWASP (as a group)
contributing to that commercial standard, but individuals wishing to
learn more, and possibly on the back of that build information and
resources that would help appsec professionals work with that standard
and others?

On the "not mentioning OWASP", it seemed very odd that in Part 1, so
much space was given over to just one vendor's methodology. But OWASP
itself ought to have a wiki page describing the various standards,
SDLC process models and maturity models, that compares and contrasts
these, and states the pros and cons. All in an unbiased manner.

Good luck with your own project. If you need some help with setting up
wiki pages for the project, I will try to help. I have done a couple
of project pages recently (Codes of Conduct, Cornucopia), but found
inspiration in copying ideas/code from other pages like ZAP.


On 17 August 2013 01:10, Jonathan Marcil <jonathan.marcil at owasp.org> wrote:
> Hi Colin,
> I think your questioning is really pertinent and I'm forwarding this to
> owasp-leaders for general information.
> See below for my replies.
> On 2013-08-16 02:44, Colin Watson wrote:
>> Jonathan
>> Congratulations.  It is important to engage, but I was wondering how
>> the issue of "open and free" has been considered. This has held me
>> back previously from involvement with some third parties "on behalf of
>> OWASP". For example:
> Please note that it was not really an involvement with OWASP to
> contribute directly with an ISO standard.
> 27034 is somewhat special and defines a "communication protocol" that
> uses XML with a Schema in order to propose a structured way to describe
> Application Security Controls (ASCs).
> The main editor of the standard and me will propose and lead an OWASP
> Project that will produce XML with OWASP's content and references. It
> will be a way for organizations using 27034 to implement OWASP knowledge
> into their security controls.
> I do think that this standard is trying to push an "open" way of
> exchanging information with the ASCs and of course all OWASP related
> stuff will be freely available using that way (XML files).
>> - Will you upload any supporting information to the wiki, or point to
>> where they are available?
> A wiki project page will be made as soon as I have the time to pass
> trough the process of an OWASP project creation (it is my first time). I
> expect it to be by the end of August.
>> - Will the meeting(s) be available publicly to listen to, or will
>> there be a recording available for OWASP afterwards?
> Not that I know of. And if I might add, the whole 20+ hours of
> discussions where not interesting in my opinion for people not
> participating on site. Also, I understood that it was not a real
> official ISO meeting so official decisions can comes out of it.
> That said, we will document in the wiki page everything that is needed
> to understand the project's XML usage and why we are doing this.
> Just to be clear again, I was not here to officially represent OWASP but
> rather to see if making an OWASP project was a good idea, to learn about
> the standard and to bring my knowledge (of OWASP and Application
> Security) to the table.
>> - Will the standard be free to OWASP (members)?
> No. But since the OWASP project will actually produce ASCs, these will
> be available for free for any organization that wishes to implement the
> ISO standard. I think that the standard, if it's well adopted, will
> probably lead to an ecosystem of ASCs and OWASP's ASCs will be a free
> option.
> That's one of the reason I mentioned that my approach is not really like
> SAMM, because I'm really just looking at security control from an 27034
> point of view, so the standard itself is not mandatory to even
> participate in the project : you just have to understand the XML structure.
>> ISO 27034 Part 1 doesn't mention OWASP at all, at any point or in any reference.
> I don't think part 1 will ever mention OWASP and will not mention any
> other "ASCs providers" since this is not a direct participation in the
> standard itself.
> The bottom line is that there will be an OWASP project that will deliver
> in an open way and for free ASCs in XML format that organizations will
> be able to use with 27034. Theses files will not be part of the standard
> but will use the schema provided by it.
>> Colin
> Thanks,
> - Jonathan

More information about the OWASP-Leaders mailing list