[Owasp-leaders] [SAMM] Fwd: ISO/IEC 27034

Adil Aliyev adil.aliyev at owasp.org
Mon Aug 19 20:43:19 UTC 2013


Dear All,

Where can I obtain a copy of draft of Part 2?

Best Regards,
Adil Aliyev




On Sun, Aug 18, 2013 at 1:50 PM, Colin Watson <colin.watson at owasp.org>wrote:

> Jonathan
>
> Thank you for your reply.  What raised my concern was the statement
>
>    "have been invited to represent OWASP at an ISO/IEC 27034 ...
> meeting by ... the main project editor."
>
> But I think you have clarified this isn't OWASP (as a group)
> contributing to that commercial standard, but individuals wishing to
> learn more, and possibly on the back of that build information and
> resources that would help appsec professionals work with that standard
> and others?
>
> On the "not mentioning OWASP", it seemed very odd that in Part 1, so
> much space was given over to just one vendor's methodology. But OWASP
> itself ought to have a wiki page describing the various standards,
> SDLC process models and maturity models, that compares and contrasts
> these, and states the pros and cons. All in an unbiased manner.
>
> Good luck with your own project. If you need some help with setting up
> wiki pages for the project, I will try to help. I have done a couple
> of project pages recently (Codes of Conduct, Cornucopia), but found
> inspiration in copying ideas/code from other pages like ZAP.
>
> Colin
>
>
> On 17 August 2013 01:10, Jonathan Marcil <jonathan.marcil at owasp.org>
> wrote:
> > Hi Colin,
> >
> > I think your questioning is really pertinent and I'm forwarding this to
> > owasp-leaders for general information.
> >
> > See below for my replies.
> >
> > On 2013-08-16 02:44, Colin Watson wrote:
> >> Jonathan
> >>
> >> Congratulations.  It is important to engage, but I was wondering how
> >> the issue of "open and free" has been considered. This has held me
> >> back previously from involvement with some third parties "on behalf of
> >> OWASP". For example:
> >>
> > Please note that it was not really an involvement with OWASP to
> > contribute directly with an ISO standard.
> >
> > 27034 is somewhat special and defines a "communication protocol" that
> > uses XML with a Schema in order to propose a structured way to describe
> > Application Security Controls (ASCs).
> >
> > The main editor of the standard and me will propose and lead an OWASP
> > Project that will produce XML with OWASP's content and references. It
> > will be a way for organizations using 27034 to implement OWASP knowledge
> > into their security controls.
> >
> > I do think that this standard is trying to push an "open" way of
> > exchanging information with the ASCs and of course all OWASP related
> > stuff will be freely available using that way (XML files).
> >
> >> - Will you upload any supporting information to the wiki, or point to
> >> where they are available?
> > A wiki project page will be made as soon as I have the time to pass
> > trough the process of an OWASP project creation (it is my first time). I
> > expect it to be by the end of August.
> >
> >> - Will the meeting(s) be available publicly to listen to, or will
> >> there be a recording available for OWASP afterwards?
> > Not that I know of. And if I might add, the whole 20+ hours of
> > discussions where not interesting in my opinion for people not
> > participating on site. Also, I understood that it was not a real
> > official ISO meeting so official decisions can comes out of it.
> >
> > That said, we will document in the wiki page everything that is needed
> > to understand the project's XML usage and why we are doing this.
> >
> > Just to be clear again, I was not here to officially represent OWASP but
> > rather to see if making an OWASP project was a good idea, to learn about
> > the standard and to bring my knowledge (of OWASP and Application
> > Security) to the table.
> >
> >> - Will the standard be free to OWASP (members)?
> >>
> > No. But since the OWASP project will actually produce ASCs, these will
> > be available for free for any organization that wishes to implement the
> > ISO standard. I think that the standard, if it's well adopted, will
> > probably lead to an ecosystem of ASCs and OWASP's ASCs will be a free
> > option.
> >
> > That's one of the reason I mentioned that my approach is not really like
> > SAMM, because I'm really just looking at security control from an 27034
> > point of view, so the standard itself is not mandatory to even
> > participate in the project : you just have to understand the XML
> structure.
> >
> >> ISO 27034 Part 1 doesn't mention OWASP at all, at any point or in any
> reference.
> >>
> > I don't think part 1 will ever mention OWASP and will not mention any
> > other "ASCs providers" since this is not a direct participation in the
> > standard itself.
> >
> > The bottom line is that there will be an OWASP project that will deliver
> > in an open way and for free ASCs in XML format that organizations will
> > be able to use with 27034. Theses files will not be part of the standard
> > but will use the schema provided by it.
> >
> >> Colin
> >>
> >>
> >>
> >
> > Thanks,
> >
> > - Jonathan
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130820/cdfa45aa/attachment-0001.html>


More information about the OWASP-Leaders mailing list