[Owasp-leaders] Fwd: Feedback Documentation Evaluation Proposal

Larry Conklin larry.conklin at owasp.org
Sun Aug 10 17:30:44 UTC 2014

Johanna, thanks for putting this together. I think as a draft this is a
good start. My suggestion would be to scale back on the scope and implement
in a step by step approach.

What is going to be your approach evaluating feedback?

All doesn't look like people are really are commenting on this. This is an
important proposal that needs feedback from the entire community. Below is
my feedback on this proposal.

Larry Conklin, CISSP

*Qualitative and Quantitative Content Audit Feedback*

I would like to divide my feedback into two sections. The second section to
be a more general feedback of the Content Audit proposal and the first to
be more about what is and is not a flagship project centered on the OWASP
Top Ten Project.

I have read several emails concerning the OWASP Top Ten project, concerning
the project does not release enough of its own and vendor supplied data,
and that it takes away from other good projects. The second concern I find
to be contrary to common sense <http://ninjawords.com/common%2520sense>. I
see OWASP Top Ten mention of different web sites, pdf research papers and
books (
the Tangled Web: A Guide to Securing Modern Web Applications, Systematic
Techniques for Finding and Preventing Script Injection Vulnerabilities),
etc just to mention a few references. All of these references provide the
reader a chance to learn more about OWASP and the different projects inside
of OWASP. I have even seen SANS ppt presentation talked about ZAP as a tool
to find injection issues where the main subject of the ppt was OWASP Top
Ten.  My company uses OWASP Top Ten as part of their annual secure coding
standards for all developers. Something so prevalent and mention so many
times has to be good for OWASP if not for any thing else but to make
application security relevant, open and visible. If OWASP Top Ten were off
the mark it simple would not be referenced as many times as it is. So for
that reason no matter what the Content Audit policy is I feel strongly that
OWASP needs to keep OWASP Top Ten as a flagship project. On the issue about
publishing data that the OWASP top ten gathers both vendor supplied and
privately gathered I feel I don’t have enough information to make an
intelligent decision or comment.

On a more general aspect on the proposed content audit policy I do have
some comments.


1.     On “Qualitative content audit methodology by Martin & Hannington”
this is a book that deals with everything like eye tracking of where a user
looks at in a document.  I would like to understand exactly what should be
in this policy without having to reference a book. Maybe we could reference
the exaction sections we want to include instead of the entire book.

2.     Document says it will include automated systems. What systems?
OWASP, third party applications, etc?

3.     Plagiarism checker? Which one and who is paying for it, OWSP and or
project. This can get costly. If the code review takes content out of a
cheat sheet and puts it into Code Review Guide is this plagiarism?
Plagiarism is about ownership of content. I don’t want us to get into an
ownership battle. Consider the turn of events, if someone takes content out
of Code Review Guide, publishes it in a research paper or blog, and then we
update the Code Review Guide and run plagiarism checker how would this
situation be resolved? Remember everything OWASP does should be open
license, hence free to copy. Free to copy causes plagiarism errors.

4.     Open source, there are many open source licenses (
http://opensource.org/licenses), Apache, GNU, etc. are we saying all
projects have to be the same open source license? This is something I would
encourage. Just makes life easier.

5.     Be careful about using the word “Accessibility” (
http://en.wikipedia.org/wiki/Web_accessibility). Where I work we have to
make sure our public facing web sites meet the US criteria of accessibility
I really don’t want to go there with OWASP. Oh yea please don’t use yellow
in your documents. People like me who are colorblind find it very non
accessible.  Funny but true.

a.     Mailing lists/feedback? So we want public to use the wiki for a
feedback form or Google doc’s? Download content from wiki and go to Google
doc’s to provide a feedback form. I would prefer one feedback form that a
user can select a project from a drop down list along with a few other
common questions. The same on mailing lists allow on mail list that can be
used for every project instead of a mailing list for each project to
provide feedback.

6.     I think I need a simple check off list that shows for each task what
points that project receives for each task.

*Second phase.*

OK this doesn’t need to be in a proposal, just sounds like something we
should do.

*Third phase. *

1.     Relevance, so a project gets released then based on popularity
(downloads) it get flagship status. Isn’t that what some people are
complaining about with OWASP Top Ten?

2.     Formatting/Branding. Sounds good but this isn’t easy. Shouldn’t this
be another project, I suspect you want some like “O'Reilly Head First”
series.  I think they are a lot of good suggestions in this proposal but it
suffers from project creep. I strongly suggest we start small and grow the
content policy. This would need to be available to all projects before they
start to be part of any criteria to judge that project on.

3.     Hiring experts. Isn’t that us? I understand the intent but this
language this can be very offending to the community.

On Sun, Aug 3, 2014 at 8:56 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Leaders
> The following attachment contains a Proposal Evaluation methodology for
> Documents OWASP projects.
> After brainstorming with some community members, we have set this idea in
> this draft document.
> Please, we strongly encourage all project leaders to go through and read
> the document.
> Also, I have added a Feedback form. Your opinion counts. We are trying to
> develop a methodology and this is a proposal. Your input woudl be valuable
> to the final version
> Access to the form:
> https://docs.google.com/a/owasp.org/forms/d/1VlIFrGxogpuy_Sb-wsbXI3ToQZJw-5fQgZFy09sJQ00/viewform?c=0&w=1&usp=mail_form_link
>  Powered by
> [image: Google Forms]
> Cheers
> Johanna Curiel
> Lead Project Task Force
> This form was created inside of OWASP Foundation.
> Report Abuse
> <https://docs.google.com/forms/d/1VlIFrGxogpuy_Sb-wsbXI3ToQZJw-5fQgZFy09sJQ00/reportabuse?source=https://docs.google.com/a/owasp.org/forms/d/1VlIFrGxogpuy_Sb-wsbXI3ToQZJw-5fQgZFy09sJQ00/viewform?sid%3D460accae8c6e84c2%26c%3D0%26w%3D1%26token%3DFTXcnkcBAAA.E2ID09dDFjxrJKxgWuKamw.ALYHmlTuTSQpZJUOKMtgBw>
> - Terms of Service <http://www.google.com/accounts/TOS> - Additional Terms
> <http://www.google.com/google-d-s/terms.html>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140810/6d7bf5a6/attachment.html>

More information about the OWASP-Leaders mailing list