[Owasp-leaders] [Governance] ISO/IEC 27034

Sebastien Gioria sebastien.gioria at owasp.org
Mon Jan 20 21:37:41 UTC 2014

Hi Tobias and all,

For me, OWASP, even the ISO guidance is not open-source, OWASP need to
make something to start link with ISO.

We need to urgent start to act as an "observer" in the JTC1/SC27 about
27034. If we not start this role, we will have a ISO27034-vendorised
(and others ISO-guidances related to our knowledge)  version of all
the sub-guidances

Now, it's time to start working with ISO(s) representatives, and not
to talk (it's been 6 months this thread start....) :

So, as I'm CCed in the list and imply here in france with some working
group in the ISO-guidances. I propose my name as a link between OWASP
and ISO JTC1/SC Groups.

Just to let you understand what I've got in mind :

I will not "represent" OWASP, but just been the "Point of contact"
beetween  JTC1/SC Group and OWASP.

If this agree all of you, let's go and push my name/mail/MobilePhone
to JTC1/SC Group

Cheers from France.


2014/1/18 Tobias <tobias.gondrom at owasp.org>:
> Hi Jonathan,
> thanks a lot for the information and update.
> I like and appreciate your light-weight approach towards ISO as an
> individual with OWASP expertise.
> I trust in your judgement and think the current informal way to interact
> with ISO is a good one.
> You are part of OWASP and you have the best knowledge of the current stage
> of the WG. So the question is what do you think? What do you recommend? If
> you think there is something we should do as an organisation here (e.g. name
> a liaison or the like), please send me an email and let me know and I will
> be happy to see how we can best help and support you.
> Thanks again and all the best, Tobias
> Tobias Gondrom
> OWASP Global Board Member
> email: tobias.gondrom at owasp.org
> mobile: +852 56002975
> mobile: +44 7521003005
> skype: tgondrom
> twitter: @tgondrom
> On 17/01/14 00:26, Jonathan Marcil wrote:
> Hi OWASP Leaders, SAMM people and governance enthusiasts,
> I'm here to let you know that I'll be participating in another ISO/IEC
> 27034 Ad-hoc Meeting next week in Montreal.
> I'll be on site and I noticed that at least Sebastien Gioria and
> Sebastien Deleersnyder have been invited to assist remotely as well.
> I revised our pasts emails exchange on the subject and noticed that the
> discussion leaned towards the importance of collaboration, even
> representation as "liaison" between OWASP and ISO/IEC working groups.
> Let me assure you, that the meeting I'll be attending is still pretty
> much like that last one, and that my position will be informative about
> OWASP rather than representative.
> My personal implication and role is officially only trough the following
> OWASP project that I co-lead with Luc Poulin, the 27034 main editor:
> https://www.owasp.org/index.php/OWASP_ISO_IEC_27034_Application_Security_Controls_Project
> If OWASP decides to have an official ISO/IEC liaison representative,
> I'll be more than glad to make the link between the liaison and the
> ISO/IEC 27034 people during the meeting. I'll be live on site and can
> manage to remotely setup any communications meaning, from plain text
> chat to full video conference. Just hit me up by email.
> To reinforce the motion, I've also been asked to find a liaison or a way
> to cooperate between OWASP and ISO/IEC JTC 1 SC 22/WG 23 that makes TR
> 24772 "Information technology -- Programming languages -- Guidance to
> avoiding vulnerabilities in programming languages through language
> selection and use".
> My strategy on the cooperation part is to simply try to find and reach
> projects that fit with what TR 24772 authors want and to initiate
> communication.
> For the liaison, OWASP just needs to go ahead with the idea and I'll
> simply redirect people to them. We can also organize an online meeting
> Wednesday next week to discuss about it with the TR 24772 contact.
> Finally, consider me available for any online meeting or call during
> those dates and times for the corresponding standard:
> ISO/IEC 27034: January 21st and 22nd, 9AM to 12PM, 1:30PM to 4:30PM
> Eastern Standard Time
> ISO/IEC TR 24772: January 23rd, 10AM to 6PM Eastern Standard Time
> Thanks,
> - Jonathan
> On 2013-08-14 22:00, Jonathan Marcil wrote:
> Hi OWASP Leaders,
> The current email is to let you know that I have been invited to
> represent OWASP at an ISO/IEC 27034 (Information technology — Security
> techniques — Application security) meeting by Luc Poulin the main
> project editor. It is held this week at Microsoft office in Montreal.
> Basically I'm here to contribute to the discussion with practical
> application security knowledge and OWASP projects. I'm, of course, just
> really speaking "about OWASP" and not "for OWASP".
> We are also planning to propose some new OWASP projects, and especially
> one that will create Application Security Controls (ASCs) as described
> in the standard from OWASP Top 10 entries and other projects.
> The ASCs in 27034 are actually made in an XML format and are not only
> documentation but a normalized representation of an application security
> control, so the mapping is rather different that was done with OpenSAMM
> on http://www.opensamm.org/2012/04/mapping-samm-to-isoiec-27034/.
> You can find more details about the standard at :
> http://www.iso27001security.com/html/27034.html
> If anyone is interested on the subject, feel free to reply to this
> email. We haven't even started the process to create the new projects
> but will welcome any help.
> Thanks,
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> Governance mailing list
> Governance at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/governance

OWASP French Chapter Leader
GSM: +33 6 70 59 11 44

More information about the OWASP-Leaders mailing list