[Owasp-leaders] ISO/IEC 27034

Tobias tobias.gondrom at owasp.org
Fri Jan 17 23:32:17 UTC 2014

Hi Jonathan,

thanks a lot for the information and update.
I like and appreciate your light-weight approach towards ISO as an
individual with OWASP expertise.
I trust in your judgement and think the current informal way to interact
with ISO is a good one.

You are part of OWASP and you have the best knowledge of the current
stage of the WG. So the question is what do /you/ think? What do you
recommend? If you think there is something we should do as an
organisation here (e.g. name a liaison or the like), please send me an
email and let me know and I will be happy to see how we can best help
and support you.

Thanks again and all the best, Tobias

Tobias Gondrom
OWASP Global Board Member
email: tobias.gondrom at owasp.org <mailto:tobias.gondrom at owasp.org>
mobile: +852 56002975
mobile: +44 7521003005
skype: tgondrom
twitter: @tgondrom

On 17/01/14 00:26, Jonathan Marcil wrote:
> Hi OWASP Leaders, SAMM people and governance enthusiasts,
> I'm here to let you know that I'll be participating in another ISO/IEC
> 27034 Ad-hoc Meeting next week in Montreal.
> I'll be on site and I noticed that at least Sebastien Gioria and
> Sebastien Deleersnyder have been invited to assist remotely as well.
> I revised our pasts emails exchange on the subject and noticed that the
> discussion leaned towards the importance of collaboration, even
> representation as "liaison" between OWASP and ISO/IEC working groups.
> Let me assure you, that the meeting I'll be attending is still pretty
> much like that last one, and that my position will be informative about
> OWASP rather than representative.
> My personal implication and role is officially only trough the following
> OWASP project that I co-lead with Luc Poulin, the 27034 main editor:
> https://www.owasp.org/index.php/OWASP_ISO_IEC_27034_Application_Security_Controls_Project
> If OWASP decides to have an official ISO/IEC liaison representative,
> I'll be more than glad to make the link between the liaison and the
> ISO/IEC 27034 people during the meeting. I'll be live on site and can
> manage to remotely setup any communications meaning, from plain text
> chat to full video conference. Just hit me up by email.
> To reinforce the motion, I've also been asked to find a liaison or a way
> to cooperate between OWASP and ISO/IEC JTC 1 SC 22/WG 23 that makes TR
> 24772 "Information technology -- Programming languages -- Guidance to
> avoiding vulnerabilities in programming languages through language
> selection and use".
> My strategy on the cooperation part is to simply try to find and reach
> projects that fit with what TR 24772 authors want and to initiate
> communication.
> For the liaison, OWASP just needs to go ahead with the idea and I'll
> simply redirect people to them. We can also organize an online meeting
> Wednesday next week to discuss about it with the TR 24772 contact.
> Finally, consider me available for any online meeting or call during
> those dates and times for the corresponding standard:
> ISO/IEC 27034: January 21st and 22nd, 9AM to 12PM, 1:30PM to 4:30PM
> Eastern Standard Time
> ISO/IEC TR 24772: January 23rd, 10AM to 6PM Eastern Standard Time
> Thanks,
> - Jonathan
> On 2013-08-14 22:00, Jonathan Marcil wrote:
>> Hi OWASP Leaders,
>> The current email is to let you know that I have been invited to
>> represent OWASP at an ISO/IEC 27034 (Information technology — Security
>> techniques — Application security) meeting by Luc Poulin the main
>> project editor. It is held this week at Microsoft office in Montreal.
>> Basically I'm here to contribute to the discussion with practical
>> application security knowledge and OWASP projects. I'm, of course, just
>> really speaking "about OWASP" and not "for OWASP".
>> We are also planning to propose some new OWASP projects, and especially
>> one that will create Application Security Controls (ASCs) as described
>> in the standard from OWASP Top 10 entries and other projects.
>> The ASCs in 27034 are actually made in an XML format and are not only
>> documentation but a normalized representation of an application security
>> control, so the mapping is rather different that was done with OpenSAMM
>> on http://www.opensamm.org/2012/04/mapping-samm-to-isoiec-27034/.
>> You can find more details about the standard at :
>> http://www.iso27001security.com/html/27034.html
>> If anyone is interested on the subject, feel free to reply to this
>> email. We haven't even started the process to create the new projects
>> but will welcome any help.
>> Thanks,
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140117/1c0609d3/attachment.html>

More information about the OWASP-Leaders mailing list