[Owasp-leaders] [SAMM] Fwd: ISO/IEC 27034

Sebastien Gioria sebastien.gioria at owasp.org
Mon Aug 26 19:13:03 UTC 2013


Patrick,

You're right, first Luc just talk for some participation on the ASCs.

But I think OWASP need to clarify how we would be acting for ISO 27034
who is in my view a very insteresting opportunity to make application
security visible



2013/8/26 Patrick Leclerc <patrick.leclerc at owasp.org>:
> Hi all,
>
> I think the debate here is getting much wider than the intentions initially
> explained by Jonathan (involving a participation in producing ISO 27034 ASC
> (Application Security Controls) for controls and recommendations - already
> proposed by OWASP -.
>
> From my understanding, these ASCs will be nothing more than XML templates or
> samples that will describe which, why, when and how a particular security
> control should be applied to assess the effectiveness and completeness of a
> SDLC security control.  Any organization who wants to implement ISO 27034
> would then have the possibility to take its inspiration of the provided
> OWASP’s ASC samples, as well as -any- organization not wanting to implement
> the standard would do well of using the freely provided OWASP content…
>
> Make sense?
>
> Patrick
>
>
>
> On Mon, Aug 26, 2013 at 1:14 PM, Tobias <tobias.gondrom at owasp.org> wrote:
>>
>> Added the OWASP governance list. If we want, we could discuss some parts
>> of the general governance questions there instead of the leaders list.
>>
>>
>> A few comments:
>> 0. in the past we had the GIC (Global Industry Committee) for coordinating
>> liaisons with other SDO organisations. As we have dissolved all committees,
>> that is no longer the case.
>>
>> regarding external organisations in general:
>> - I think there are two base cases:
>> A) (this is probably the base case, e.g. for many of our members in ISO
>> etc.) a person is working with another organisation or standards body based
>> on their individual expertise or in their normal non-OWASP roles anyway. In
>> that case it is great to promote the vision of OWASP and our projects -
>> without claiming to speak on behalf of OWASP.
>> b) if a person wants to speak on behalf of OWASP or join an organisation
>> as an OWASP contact, than we need some kind of process to assign that role.
>> In the past we had the board and the GIC (which was empowered by the
>> community and the board) to do so and to coordinate. As at the moment we
>> only have the board to fulfill that function, this liaison role should be
>> assigned by the board if necessary, until we create a new coordination
>> function.
>>
>> In general in my humble experience a few thoughts:
>> 1. I think liaison functions are good to promote our OWASP goals and
>> vision into other organisations. It helps spread our message. But
>> coordination is very important.
>> 1.1. Liaison people could be coordinated and supported by our operations
>> staff or any other initiative/committee, but need to be selected/empowered
>> by the community (in whatever process we think makes most sense, i.e.
>> directly or indirectly). They require deep technical security expertise,
>> reliable commitment and certain standing within the community, criteria
>> which should be decided by our community/board/other community function, as
>> the community or an assigned sub-group is best suited to evaluate that
>> qualification.
>>
>> 2. In general, we as the OWASP community should give only very few
>> statements on behalf of the community. It is better to make a few good
>> statements with impact, than to make many with low impact.
>> That means that even an by the community/board assigned person should not
>> speak on behalf of the community. And we should involve the community or go
>> through an internal process of coordinating or review on the board and
>> leaders list before the OWASP organisation makes any official statements.
>> (unless there is an emergency at hand)
>>
>> I have seen both strategies work very well with other global (and much
>> larger) SDOs (standards developing bodies) and think this could be a role
>> model for OWASP.
>>
>> Just my 5cents,
>>
>> Tobias
>>
>>
>>
>>
>>
>> On 25/08/13 20:19, Sebastien Gioria wrote:
>>
>> 2013/8/25 Dennis Groves <dennis.groves at owasp.org>
>>>>
>>>>
>>>> Just to make sure my message is not misunderstood: I am not questioning
>>>> Sebastien/Jonathan's involvements in the ISO 27034 process. Quite to the
>>>> opposite, I highly vouch for them on this initiative but this is
>>>> probably because I both personally and professionally know them and
>>>> fully entrust them into this initiative, which may still not be the case
>>>> for other leaders.
>>>>
>>>> If not done already, I would highly recommend this question to be
>>>> discussed in the workshops during the Appsec NY in November, just to
>>>> make sure that voices and opinions from leaders are well heard.
>>>>
>>>> Eventually, do we have a process (not sure whether or not the word
>>>> "committee" comes here) that centralizes and lists these collaborations
>>>> with standardization bodies?
>>>
>>>
>>> I am BSI-ISO/SC27/WG4; I know I am not also alone in being in OWASP and
>>> on the standards committee. Obviously so are Jonathan and Sebastien, and
>>> there must be many others as well.  It maybe useful indeed for us to gather
>>> in NY at AppSec USA so we can work on a process for engaging with standards
>>> bodies.
>>
>>
>> I propose to start next month a HangOut or so.
>>
>>
>> --
>> OWASP French Chapter Leader
>> GSM: +33 6 70 59 11 44
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
>
> --
> ------
> Patrick Leclerc
> OWASP Quebec city
> ------
>
>



-- 
OWASP French Chapter Leader
GSM: +33 6 70 59 11 44


More information about the OWASP-Leaders mailing list