[Owasp-leaders] ISO/IEC 27034

Jonathan Marcil jonathan.marcil at owasp.org
Tue Jan 21 18:45:39 UTC 2014

Hi Tobias,

now that I know better what a liaison is from an ISO/IEC point of view
and I've been thinking about the dynamics while being in the AdHoc
meeting and seeing how it works, I got some ideas.

There's some considerations I base my thinking on:
- ISO/IEC is international organization and meetings/sessions are in
person all around the world
- OWASP is very decentralized and that's a good thing
- Liaison is centralization

I think we should approach ISO/IEC with a dual strategy that is using a
main OWASP "liaison agent" while having a "field agent".

The "liaison agent" would be someone that is in touch with one SC in
particular within ISO/IEC. That person should know about the wide
subject related with the SC. One of his task alongside regular liaison
stuff (transmission of communications between officials) would be to
find "field agent" and prepare them and send them to meetings.

The "field agent" is an OWASP representative that is within the
geographical location of the ISO/IEC meeting and assist in order to do
the live action stuff such as asking questions or taking notes for the
liaison agent. He doesn't need to be an expert in the related SC subject
since he is backed by the liaison agent. He can be a chapter leader, a
project leader or event just a member as long as the liaison agent trust

For example, the liaison agent knows that there is a SC27/WG4 meeting in
Hong Kong next month. He is aware of what will be going on and prepare
questions while consulting the OWASP community or board. He then finds
an OWASP field agent based in Hong Kong, brief him and book him for the
meeting. Afterwards, the field agent report back to the liaison agent.

Liaison agent can also act without the need of any field agent by using
emails or other remote meanings. It can be a small team if desired.

Field agent can also decide to join in and help the liaison agent online
as well. A liaison agent can also be field agent at the same time if the
opportunity is there.

The major advantage I see is that we encourage collaboration within
OWASP and we get to use our worldwide reach, by having a spot like any
company with budget that fly their employees to the meetings.

The major disadvantage of that strategy is that the liaison agent would
still be the bottleneck, but we can scale by having WG liaisons instead
of just SC liaisons.

Right now, if OWASP desire to go with it, we need to work on having a
SC27 and SC22 liaison agents for ISO 27034 and TR 24772. I can do the
field work for Montreal. Sebastien Gioria is a good candidate for
liaison/kick-off. This week we actually plan on Thursday to kick-off for
SC22/TR 24772 and it will be open to all on Hangout/YouTube.

Mid term we can also check what type of liaison we want
page 20 #1.17.2) but this can comes after making connection with ISO/IEC.

I'll let you decide if the board needs to make a statement or have
someone to join us in the kick-off or just talk to me and/or Sebastien

If anyone wants to join in as a liaison or to help with kick-off, please
contact me by email I'll arrange something for Thursday from 10AM
Eastern Time to 5PM EST.


- Jonathan

On 2014-01-17 18:32, Tobias wrote:
> Hi Jonathan,
> thanks a lot for the information and update.
> I like and appreciate your light-weight approach towards ISO as an
> individual with OWASP expertise.
> I trust in your judgement and think the current informal way to interact
> with ISO is a good one.
> You are part of OWASP and you have the best knowledge of the current
> stage of the WG. So the question is what do /you/ think? What do you
> recommend? If you think there is something we should do as an
> organisation here (e.g. name a liaison or the like), please send me an
> email and let me know and I will be happy to see how we can best help
> and support you.
> Thanks again and all the best, Tobias
> Tobias Gondrom
> OWASP Global Board Member
> email: tobias.gondrom at owasp.org <mailto:tobias.gondrom at owasp.org>
> mobile: +852 56002975
> mobile: +44 7521003005
> skype: tgondrom
> twitter: @tgondrom
> On 17/01/14 00:26, Jonathan Marcil wrote:
>> Hi OWASP Leaders, SAMM people and governance enthusiasts,
>> I'm here to let you know that I'll be participating in another ISO/IEC
>> 27034 Ad-hoc Meeting next week in Montreal.
>> I'll be on site and I noticed that at least Sebastien Gioria and
>> Sebastien Deleersnyder have been invited to assist remotely as well.
>> I revised our pasts emails exchange on the subject and noticed that the
>> discussion leaned towards the importance of collaboration, even
>> representation as "liaison" between OWASP and ISO/IEC working groups.
>> Let me assure you, that the meeting I'll be attending is still pretty
>> much like that last one, and that my position will be informative about
>> OWASP rather than representative.
>> My personal implication and role is officially only trough the following
>> OWASP project that I co-lead with Luc Poulin, the 27034 main editor:
>> https://www.owasp.org/index.php/OWASP_ISO_IEC_27034_Application_Security_Controls_Project
>> If OWASP decides to have an official ISO/IEC liaison representative,
>> I'll be more than glad to make the link between the liaison and the
>> ISO/IEC 27034 people during the meeting. I'll be live on site and can
>> manage to remotely setup any communications meaning, from plain text
>> chat to full video conference. Just hit me up by email.
>> To reinforce the motion, I've also been asked to find a liaison or a way
>> to cooperate between OWASP and ISO/IEC JTC 1 SC 22/WG 23 that makes TR
>> 24772 "Information technology -- Programming languages -- Guidance to
>> avoiding vulnerabilities in programming languages through language
>> selection and use".
>> My strategy on the cooperation part is to simply try to find and reach
>> projects that fit with what TR 24772 authors want and to initiate
>> communication.
>> For the liaison, OWASP just needs to go ahead with the idea and I'll
>> simply redirect people to them. We can also organize an online meeting
>> Wednesday next week to discuss about it with the TR 24772 contact.
>> Finally, consider me available for any online meeting or call during
>> those dates and times for the corresponding standard:
>> ISO/IEC 27034: January 21st and 22nd, 9AM to 12PM, 1:30PM to 4:30PM
>> Eastern Standard Time
>> ISO/IEC TR 24772: January 23rd, 10AM to 6PM Eastern Standard Time
>> Thanks,
>> - Jonathan
>> On 2013-08-14 22:00, Jonathan Marcil wrote:
>>> Hi OWASP Leaders,
>>> The current email is to let you know that I have been invited to
>>> represent OWASP at an ISO/IEC 27034 (Information technology — Security
>>> techniques — Application security) meeting by Luc Poulin the main
>>> project editor. It is held this week at Microsoft office in Montreal.
>>> Basically I'm here to contribute to the discussion with practical
>>> application security knowledge and OWASP projects. I'm, of course, just
>>> really speaking "about OWASP" and not "for OWASP".
>>> We are also planning to propose some new OWASP projects, and especially
>>> one that will create Application Security Controls (ASCs) as described
>>> in the standard from OWASP Top 10 entries and other projects.
>>> The ASCs in 27034 are actually made in an XML format and are not only
>>> documentation but a normalized representation of an application security
>>> control, so the mapping is rather different that was done with OpenSAMM
>>> on http://www.opensamm.org/2012/04/mapping-samm-to-isoiec-27034/.
>>> You can find more details about the standard at :
>>> http://www.iso27001security.com/html/27034.html
>>> If anyone is interested on the subject, feel free to reply to this
>>> email. We haven't even started the process to create the new projects
>>> but will welcome any help.
>>> Thanks,
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list