[Owasp-leaders] [SAMM] Fwd: ISO/IEC 27034

Tobias tobias.gondrom at owasp.org
Mon Aug 26 17:14:38 UTC 2013

Added the OWASP governance list. If we want, we could discuss some parts
of the general governance questions there instead of the leaders list.

A few comments:
0. in the past we had the GIC (Global Industry Committee) for
coordinating liaisons with other SDO organisations. As we have dissolved
all committees, that is no longer the case.

regarding external organisations in general:
- I think there are two base cases:
A) (this is probably the base case, e.g. for many of our members in ISO
etc.) a person is working with another organisation or standards body
based on their individual expertise or in their normal non-OWASP roles
anyway. In that case it is great to promote the vision of OWASP and our
projects - without claiming to speak on behalf of OWASP.
b) if a person wants to speak on behalf of OWASP or join an organisation
as an OWASP contact, than we need some kind of process to assign that
role. In the past we had the board and the GIC (which was empowered by
the community and the board) to do so and to coordinate. As at the
moment we only have the board to fulfill that function, this liaison
role should be assigned by the board if necessary, until we create a new
coordination function.

In general in my humble experience a few thoughts:
1. I think liaison functions are good to promote our OWASP goals and
vision into other organisations. It helps spread our message. But
coordination is very important.
1.1. Liaison people could be coordinated and supported by our operations
staff or any other initiative/committee, but need to be
selected/empowered by the community (in whatever process we think makes
most sense, i.e. directly or indirectly). They require deep technical
security expertise, reliable commitment and certain standing within the
community, criteria which should be decided by our community/board/other
community function, as the community or an assigned sub-group is best
suited to evaluate that qualification.

2. In general, we as the OWASP community should give only very few
statements on behalf of the community. It is better to make a few good
statements with impact, than to make many with low impact.
That means that even an by the community/board assigned person should
not speak on behalf of the community. And we should involve the
community or go through an internal process of coordinating or review on
the board and leaders list before the OWASP organisation makes any
official statements. (unless there is an emergency at hand)

I have seen both strategies work very well with other global (and much
larger) SDOs (standards developing bodies) and think this could be a
role model for OWASP.

Just my 5cents,


On 25/08/13 20:19, Sebastien Gioria wrote:
> 2013/8/25 Dennis Groves <dennis.groves at owasp.org
> <mailto:dennis.groves at owasp.org>>
>         Just to make sure my message is not misunderstood: I am not
>         questioning
>         Sebastien/Jonathan's involvements in the ISO 27034 process.
>         Quite to the
>         opposite, I highly vouch for them on this initiative but this is
>         probably because I both personally and professionally know
>         them and
>         fully entrust them into this initiative, which may still not
>         be the case
>         for other leaders.
>         If not done already, I would highly recommend this question to be
>         discussed in the workshops during the Appsec NY in November,
>         just to
>         make sure that voices and opinions from leaders are well heard.
>         Eventually, do we have a process (not sure whether or not the word
>         "committee" comes here) that centralizes and lists these
>         collaborations
>         with standardization bodies?
>     I am BSI-ISO/SC27/WG4; I know I am not also alone in being in
>     OWASP and on the standards committee. Obviously so are Jonathan
>     and Sebastien, and there must be many others as well.  It maybe
>     useful indeed for us to gather in NY at AppSec USA so we can work
>     on a process for engaging with standards bodies.
> I propose to start next month a HangOut or so.
> -- 
> OWASP French Chapter Leader
> GSM: +33 6 70 59 11 44
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130826/e31ed1b4/attachment.html>

More information about the OWASP-Leaders mailing list