[Owasp-leaders] [SAMM] Fwd: ISO/IEC 27034

Patrick Leclerc patrick.leclerc at owasp.org
Mon Aug 26 18:09:14 UTC 2013

Hi all,

I think the debate here is getting much wider than the intentions initially
explained by Jonathan (involving a participation in producing ISO 27034 ASC
(Application Security Controls) for controls and recommendations - already
proposed by OWASP -.

>From my understanding, these ASCs will be nothing more than XML templates
or samples that will describe which, why, when and how a particular
security control should be applied to assess the effectiveness and
completeness of a SDLC security control.  Any organization who wants to
implement ISO 27034 would then have the possibility to take its inspiration
of the provided OWASP’s ASC samples, as well as -any- organization not
wanting to implement the standard would do well of using the freely
provided OWASP content…

Make sense?


On Mon, Aug 26, 2013 at 1:14 PM, Tobias <tobias.gondrom at owasp.org> wrote:

>  Added the OWASP governance list. If we want, we could discuss some parts
> of the general governance questions there instead of the leaders list.
> A few comments:
> 0. in the past we had the GIC (Global Industry Committee) for coordinating
> liaisons with other SDO organisations. As we have dissolved all committees,
> that is no longer the case.
> regarding external organisations in general:
> - I think there are two base cases:
> A) (this is probably the base case, e.g. for many of our members in ISO
> etc.) a person is working with another organisation or standards body based
> on their individual expertise or in their normal non-OWASP roles anyway. In
> that case it is great to promote the vision of OWASP and our projects -
> without claiming to speak on behalf of OWASP.
> b) if a person wants to speak on behalf of OWASP or join an organisation
> as an OWASP contact, than we need some kind of process to assign that role.
> In the past we had the board and the GIC (which was empowered by the
> community and the board) to do so and to coordinate. As at the moment we
> only have the board to fulfill that function, this liaison role should be
> assigned by the board if necessary, until we create a new coordination
> function.
> In general in my humble experience a few thoughts:
> 1. I think liaison functions are good to promote our OWASP goals and
> vision into other organisations. It helps spread our message. But
> coordination is very important.
> 1.1. Liaison people could be coordinated and supported by our operations
> staff or any other initiative/committee, but need to be selected/empowered
> by the community (in whatever process we think makes most sense, i.e.
> directly or indirectly). They require deep technical security expertise,
> reliable commitment and certain standing within the community, criteria
> which should be decided by our community/board/other community function, as
> the community or an assigned sub-group is best suited to evaluate that
> qualification.
> 2. In general, we as the OWASP community should give only very few
> statements on behalf of the community. It is better to make a few good
> statements with impact, than to make many with low impact.
> That means that even an by the community/board assigned person should not
> speak on behalf of the community. And we should involve the community or go
> through an internal process of coordinating or review on the board and
> leaders list before the OWASP organisation makes any official statements.
> (unless there is an emergency at hand)
> I have seen both strategies work very well with other global (and much
> larger) SDOs (standards developing bodies) and think this could be a role
> model for OWASP.
> Just my 5cents,
> Tobias
> On 25/08/13 20:19, Sebastien Gioria wrote:
> 2013/8/25 Dennis Groves <dennis.groves at owasp.org>
>>> Just to make sure my message is not misunderstood: I am not questioning
>>> Sebastien/Jonathan's involvements in the ISO 27034 process. Quite to the
>>> opposite, I highly vouch for them on this initiative but this is
>>> probably because I both personally and professionally know them and
>>> fully entrust them into this initiative, which may still not be the case
>>> for other leaders.
>>> If not done already, I would highly recommend this question to be
>>> discussed in the workshops during the Appsec NY in November, just to
>>> make sure that voices and opinions from leaders are well heard.
>>> Eventually, do we have a process (not sure whether or not the word
>>> "committee" comes here) that centralizes and lists these collaborations
>>> with standardization bodies?
>>  I am BSI-ISO/SC27/WG4; I know I am not also alone in being in OWASP and
>> on the standards committee. Obviously so are Jonathan and Sebastien, and
>> there must be many others as well.  It maybe useful indeed for us to gather
>> in NY at AppSec USA so we can work on a process for engaging with standards
>> bodies.
>  I propose to start next month a HangOut or so.
>  --
> OWASP French Chapter Leader
> GSM: +33 6 70 59 11 44
> _______________________________________________
> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

*Patrick Leclerc*
*OWASP Quebec city <https://www.owasp.org/index.php/Quebec_City>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130826/d5211f3c/attachment-0001.html>

More information about the OWASP-Leaders mailing list