[Owasp-leaders] ISO/IEC 27034

Jonathan Marcil jonathan.marcil at owasp.org
Fri Jan 17 00:26:58 UTC 2014

Hi OWASP Leaders, SAMM people and governance enthusiasts,

I'm here to let you know that I'll be participating in another ISO/IEC
27034 Ad-hoc Meeting next week in Montreal.

I'll be on site and I noticed that at least Sebastien Gioria and
Sebastien Deleersnyder have been invited to assist remotely as well.

I revised our pasts emails exchange on the subject and noticed that the
discussion leaned towards the importance of collaboration, even
representation as "liaison" between OWASP and ISO/IEC working groups.

Let me assure you, that the meeting I'll be attending is still pretty
much like that last one, and that my position will be informative about
OWASP rather than representative.

My personal implication and role is officially only trough the following
OWASP project that I co-lead with Luc Poulin, the 27034 main editor:

If OWASP decides to have an official ISO/IEC liaison representative,
I'll be more than glad to make the link between the liaison and the
ISO/IEC 27034 people during the meeting. I'll be live on site and can
manage to remotely setup any communications meaning, from plain text
chat to full video conference. Just hit me up by email.

To reinforce the motion, I've also been asked to find a liaison or a way
to cooperate between OWASP and ISO/IEC JTC 1 SC 22/WG 23 that makes TR
24772 "Information technology -- Programming languages -- Guidance to
avoiding vulnerabilities in programming languages through language
selection and use".

My strategy on the cooperation part is to simply try to find and reach
projects that fit with what TR 24772 authors want and to initiate

For the liaison, OWASP just needs to go ahead with the idea and I'll
simply redirect people to them. We can also organize an online meeting
Wednesday next week to discuss about it with the TR 24772 contact.

Finally, consider me available for any online meeting or call during
those dates and times for the corresponding standard:
ISO/IEC 27034: January 21st and 22nd, 9AM to 12PM, 1:30PM to 4:30PM
Eastern Standard Time
ISO/IEC TR 24772: January 23rd, 10AM to 6PM Eastern Standard Time


- Jonathan

On 2013-08-14 22:00, Jonathan Marcil wrote:
> Hi OWASP Leaders,
> The current email is to let you know that I have been invited to
> represent OWASP at an ISO/IEC 27034 (Information technology — Security
> techniques — Application security) meeting by Luc Poulin the main
> project editor. It is held this week at Microsoft office in Montreal.
> Basically I'm here to contribute to the discussion with practical
> application security knowledge and OWASP projects. I'm, of course, just
> really speaking "about OWASP" and not "for OWASP".
> We are also planning to propose some new OWASP projects, and especially
> one that will create Application Security Controls (ASCs) as described
> in the standard from OWASP Top 10 entries and other projects.
> The ASCs in 27034 are actually made in an XML format and are not only
> documentation but a normalized representation of an application security
> control, so the mapping is rather different that was done with OpenSAMM
> on http://www.opensamm.org/2012/04/mapping-samm-to-isoiec-27034/.
> You can find more details about the standard at :
> http://www.iso27001security.com/html/27034.html
> If anyone is interested on the subject, feel free to reply to this
> email. We haven't even started the process to create the new projects
> but will welcome any help.
> Thanks,

More information about the OWASP-Leaders mailing list