[Owasp-leaders] ISO/IEC 27034

Jonathan Marcil jonathan.marcil at owasp.org
Thu Jan 23 18:43:25 UTC 2014


Links for the live presentations about ISO/IEC we are doing today:

ISO/IEC Introduction by Tatsuaki Takebe
https://www.youtube.com/watch?v=yfXErQGFIv8
slides:
https://speakerdeck.com/owaspmontreal/iec-introduction-by-tatsuaki-takebe

ISO/IEC Introduction by Tatsuaki Takebe (going live now)
https://www.youtube.com/watch?v=GuY0DJxyiiU


On Tue, Jan 21, 2014 at 1:45 PM, Jonathan Marcil
<jonathan.marcil at owasp.org>wrote:

> Hi Tobias,
>
> now that I know better what a liaison is from an ISO/IEC point of view
> and I've been thinking about the dynamics while being in the AdHoc
> meeting and seeing how it works, I got some ideas.
>
> There's some considerations I base my thinking on:
> - ISO/IEC is international organization and meetings/sessions are in
> person all around the world
> - OWASP is very decentralized and that's a good thing
> - Liaison is centralization
>
> I think we should approach ISO/IEC with a dual strategy that is using a
> main OWASP "liaison agent" while having a "field agent".
>
> The "liaison agent" would be someone that is in touch with one SC in
> particular within ISO/IEC. That person should know about the wide
> subject related with the SC. One of his task alongside regular liaison
> stuff (transmission of communications between officials) would be to
> find "field agent" and prepare them and send them to meetings.
>
> The "field agent" is an OWASP representative that is within the
> geographical location of the ISO/IEC meeting and assist in order to do
> the live action stuff such as asking questions or taking notes for the
> liaison agent. He doesn't need to be an expert in the related SC subject
> since he is backed by the liaison agent. He can be a chapter leader, a
> project leader or event just a member as long as the liaison agent trust
> him.
>
> For example, the liaison agent knows that there is a SC27/WG4 meeting in
> Hong Kong next month. He is aware of what will be going on and prepare
> questions while consulting the OWASP community or board. He then finds
> an OWASP field agent based in Hong Kong, brief him and book him for the
> meeting. Afterwards, the field agent report back to the liaison agent.
>
> Liaison agent can also act without the need of any field agent by using
> emails or other remote meanings. It can be a small team if desired.
>
> Field agent can also decide to join in and help the liaison agent online
> as well. A liaison agent can also be field agent at the same time if the
> opportunity is there.
>
> The major advantage I see is that we encourage collaboration within
> OWASP and we get to use our worldwide reach, by having a spot like any
> company with budget that fly their employees to the meetings.
>
> The major disadvantage of that strategy is that the liaison agent would
> still be the bottleneck, but we can scale by having WG liaisons instead
> of just SC liaisons.
>
>
> -ACTIONS-
> Right now, if OWASP desire to go with it, we need to work on having a
> SC27 and SC22 liaison agents for ISO 27034 and TR 24772. I can do the
> field work for Montreal. Sebastien Gioria is a good candidate for
> liaison/kick-off. This week we actually plan on Thursday to kick-off for
> SC22/TR 24772 and it will be open to all on Hangout/YouTube.
>
> Mid term we can also check what type of liaison we want
> (
> http://www.iec.ch/members_experts/refdocs/iec/isoiecdir-1%7Bed9.0%7Den.pdf
> page 20 #1.17.2) but this can comes after making connection with ISO/IEC.
>
> I'll let you decide if the board needs to make a statement or have
> someone to join us in the kick-off or just talk to me and/or Sebastien
> afterwards.
>
> If anyone wants to join in as a liaison or to help with kick-off, please
> contact me by email I'll arrange something for Thursday from 10AM
> Eastern Time to 5PM EST.
>
>
> Thanks,
>
> - Jonathan
>
>
>
> On 2014-01-17 18:32, Tobias wrote:
> > Hi Jonathan,
> >
> > thanks a lot for the information and update.
> > I like and appreciate your light-weight approach towards ISO as an
> > individual with OWASP expertise.
> > I trust in your judgement and think the current informal way to interact
> > with ISO is a good one.
> >
> > You are part of OWASP and you have the best knowledge of the current
> > stage of the WG. So the question is what do /you/ think? What do you
> > recommend? If you think there is something we should do as an
> > organisation here (e.g. name a liaison or the like), please send me an
> > email and let me know and I will be happy to see how we can best help
> > and support you.
> >
> > Thanks again and all the best, Tobias
> >
> >
> > Tobias Gondrom
> > OWASP Global Board Member
> > email: tobias.gondrom at owasp.org <mailto:tobias.gondrom at owasp.org>
> > mobile: +852 56002975
> > mobile: +44 7521003005
> > skype: tgondrom
> > twitter: @tgondrom
> >
> >
> >
> > On 17/01/14 00:26, Jonathan Marcil wrote:
> >> Hi OWASP Leaders, SAMM people and governance enthusiasts,
> >>
> >> I'm here to let you know that I'll be participating in another ISO/IEC
> >> 27034 Ad-hoc Meeting next week in Montreal.
> >>
> >> I'll be on site and I noticed that at least Sebastien Gioria and
> >> Sebastien Deleersnyder have been invited to assist remotely as well.
> >>
> >> I revised our pasts emails exchange on the subject and noticed that the
> >> discussion leaned towards the importance of collaboration, even
> >> representation as "liaison" between OWASP and ISO/IEC working groups.
> >>
> >> Let me assure you, that the meeting I'll be attending is still pretty
> >> much like that last one, and that my position will be informative about
> >> OWASP rather than representative.
> >>
> >> My personal implication and role is officially only trough the following
> >> OWASP project that I co-lead with Luc Poulin, the 27034 main editor:
> >>
> https://www.owasp.org/index.php/OWASP_ISO_IEC_27034_Application_Security_Controls_Project
> >>
> >> If OWASP decides to have an official ISO/IEC liaison representative,
> >> I'll be more than glad to make the link between the liaison and the
> >> ISO/IEC 27034 people during the meeting. I'll be live on site and can
> >> manage to remotely setup any communications meaning, from plain text
> >> chat to full video conference. Just hit me up by email.
> >>
> >>
> >> To reinforce the motion, I've also been asked to find a liaison or a way
> >> to cooperate between OWASP and ISO/IEC JTC 1 SC 22/WG 23 that makes TR
> >> 24772 "Information technology -- Programming languages -- Guidance to
> >> avoiding vulnerabilities in programming languages through language
> >> selection and use".
> >>
> >> My strategy on the cooperation part is to simply try to find and reach
> >> projects that fit with what TR 24772 authors want and to initiate
> >> communication.
> >>
> >> For the liaison, OWASP just needs to go ahead with the idea and I'll
> >> simply redirect people to them. We can also organize an online meeting
> >> Wednesday next week to discuss about it with the TR 24772 contact.
> >>
> >>
> >> Finally, consider me available for any online meeting or call during
> >> those dates and times for the corresponding standard:
> >> ISO/IEC 27034: January 21st and 22nd, 9AM to 12PM, 1:30PM to 4:30PM
> >> Eastern Standard Time
> >> ISO/IEC TR 24772: January 23rd, 10AM to 6PM Eastern Standard Time
> >>
> >> Thanks,
> >>
> >> - Jonathan
> >>
> >>
> >>
> >>
> >>
> >> On 2013-08-14 22:00, Jonathan Marcil wrote:
> >>> Hi OWASP Leaders,
> >>>
> >>> The current email is to let you know that I have been invited to
> >>> represent OWASP at an ISO/IEC 27034 (Information technology — Security
> >>> techniques — Application security) meeting by Luc Poulin the main
> >>> project editor. It is held this week at Microsoft office in Montreal.
> >>>
> >>> Basically I'm here to contribute to the discussion with practical
> >>> application security knowledge and OWASP projects. I'm, of course, just
> >>> really speaking "about OWASP" and not "for OWASP".
> >>>
> >>> We are also planning to propose some new OWASP projects, and especially
> >>> one that will create Application Security Controls (ASCs) as described
> >>> in the standard from OWASP Top 10 entries and other projects.
> >>>
> >>> The ASCs in 27034 are actually made in an XML format and are not only
> >>> documentation but a normalized representation of an application
> security
> >>> control, so the mapping is rather different that was done with OpenSAMM
> >>> on http://www.opensamm.org/2012/04/mapping-samm-to-isoiec-27034/.
> >>>
> >>> You can find more details about the standard at :
> >>> http://www.iso27001security.com/html/27034.html
> >>>
> >>> If anyone is interested on the subject, feel free to reply to this
> >>> email. We haven't even started the process to create the new projects
> >>> but will welcome any help.
> >>>
> >>> Thanks,
> >>>
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140123/f456682a/attachment.html>


More information about the OWASP-Leaders mailing list