[Owasp-leaders] ISO/IEC 27034

Samantha Groves samantha.groves at owasp.org
Thu Jan 23 18:52:59 UTC 2014


Thank you, Jonathan. :-)


On Thu, Jan 23, 2014 at 11:43 AM, Jonathan Marcil <jonathan.marcil at owasp.org
> wrote:

> Links for the live presentations about ISO/IEC we are doing today:
>
> ISO/IEC Introduction by Tatsuaki Takebe
> https://www.youtube.com/watch?v=yfXErQGFIv8
> slides:
> https://speakerdeck.com/owaspmontreal/iec-introduction-by-tatsuaki-takebe
>
> ISO/IEC Introduction by Tatsuaki Takebe (going live now)
> https://www.youtube.com/watch?v=GuY0DJxyiiU
>
>
> On Tue, Jan 21, 2014 at 1:45 PM, Jonathan Marcil <
> jonathan.marcil at owasp.org> wrote:
>
>> Hi Tobias,
>>
>> now that I know better what a liaison is from an ISO/IEC point of view
>> and I've been thinking about the dynamics while being in the AdHoc
>> meeting and seeing how it works, I got some ideas.
>>
>> There's some considerations I base my thinking on:
>> - ISO/IEC is international organization and meetings/sessions are in
>> person all around the world
>> - OWASP is very decentralized and that's a good thing
>> - Liaison is centralization
>>
>> I think we should approach ISO/IEC with a dual strategy that is using a
>> main OWASP "liaison agent" while having a "field agent".
>>
>> The "liaison agent" would be someone that is in touch with one SC in
>> particular within ISO/IEC. That person should know about the wide
>> subject related with the SC. One of his task alongside regular liaison
>> stuff (transmission of communications between officials) would be to
>> find "field agent" and prepare them and send them to meetings.
>>
>> The "field agent" is an OWASP representative that is within the
>> geographical location of the ISO/IEC meeting and assist in order to do
>> the live action stuff such as asking questions or taking notes for the
>> liaison agent. He doesn't need to be an expert in the related SC subject
>> since he is backed by the liaison agent. He can be a chapter leader, a
>> project leader or event just a member as long as the liaison agent trust
>> him.
>>
>> For example, the liaison agent knows that there is a SC27/WG4 meeting in
>> Hong Kong next month. He is aware of what will be going on and prepare
>> questions while consulting the OWASP community or board. He then finds
>> an OWASP field agent based in Hong Kong, brief him and book him for the
>> meeting. Afterwards, the field agent report back to the liaison agent.
>>
>> Liaison agent can also act without the need of any field agent by using
>> emails or other remote meanings. It can be a small team if desired.
>>
>> Field agent can also decide to join in and help the liaison agent online
>> as well. A liaison agent can also be field agent at the same time if the
>> opportunity is there.
>>
>> The major advantage I see is that we encourage collaboration within
>> OWASP and we get to use our worldwide reach, by having a spot like any
>> company with budget that fly their employees to the meetings.
>>
>> The major disadvantage of that strategy is that the liaison agent would
>> still be the bottleneck, but we can scale by having WG liaisons instead
>> of just SC liaisons.
>>
>>
>> -ACTIONS-
>> Right now, if OWASP desire to go with it, we need to work on having a
>> SC27 and SC22 liaison agents for ISO 27034 and TR 24772. I can do the
>> field work for Montreal. Sebastien Gioria is a good candidate for
>> liaison/kick-off. This week we actually plan on Thursday to kick-off for
>> SC22/TR 24772 and it will be open to all on Hangout/YouTube.
>>
>> Mid term we can also check what type of liaison we want
>> (
>> http://www.iec.ch/members_experts/refdocs/iec/isoiecdir-1%7Bed9.0%7Den.pdf
>> page 20 #1.17.2) but this can comes after making connection with ISO/IEC.
>>
>> I'll let you decide if the board needs to make a statement or have
>> someone to join us in the kick-off or just talk to me and/or Sebastien
>> afterwards.
>>
>> If anyone wants to join in as a liaison or to help with kick-off, please
>> contact me by email I'll arrange something for Thursday from 10AM
>> Eastern Time to 5PM EST.
>>
>>
>> Thanks,
>>
>> - Jonathan
>>
>>
>>
>> On 2014-01-17 18:32, Tobias wrote:
>> > Hi Jonathan,
>> >
>> > thanks a lot for the information and update.
>> > I like and appreciate your light-weight approach towards ISO as an
>> > individual with OWASP expertise.
>> > I trust in your judgement and think the current informal way to interact
>> > with ISO is a good one.
>> >
>> > You are part of OWASP and you have the best knowledge of the current
>> > stage of the WG. So the question is what do /you/ think? What do you
>> > recommend? If you think there is something we should do as an
>> > organisation here (e.g. name a liaison or the like), please send me an
>> > email and let me know and I will be happy to see how we can best help
>> > and support you.
>> >
>> > Thanks again and all the best, Tobias
>> >
>> >
>> > Tobias Gondrom
>> > OWASP Global Board Member
>> > email: tobias.gondrom at owasp.org <mailto:tobias.gondrom at owasp.org>
>> > mobile: +852 56002975
>> > mobile: +44 7521003005
>> > skype: tgondrom
>> > twitter: @tgondrom
>> >
>> >
>> >
>> > On 17/01/14 00:26, Jonathan Marcil wrote:
>> >> Hi OWASP Leaders, SAMM people and governance enthusiasts,
>> >>
>> >> I'm here to let you know that I'll be participating in another ISO/IEC
>> >> 27034 Ad-hoc Meeting next week in Montreal.
>> >>
>> >> I'll be on site and I noticed that at least Sebastien Gioria and
>> >> Sebastien Deleersnyder have been invited to assist remotely as well.
>> >>
>> >> I revised our pasts emails exchange on the subject and noticed that the
>> >> discussion leaned towards the importance of collaboration, even
>> >> representation as "liaison" between OWASP and ISO/IEC working groups.
>> >>
>> >> Let me assure you, that the meeting I'll be attending is still pretty
>> >> much like that last one, and that my position will be informative about
>> >> OWASP rather than representative.
>> >>
>> >> My personal implication and role is officially only trough the
>> following
>> >> OWASP project that I co-lead with Luc Poulin, the 27034 main editor:
>> >>
>> https://www.owasp.org/index.php/OWASP_ISO_IEC_27034_Application_Security_Controls_Project
>> >>
>> >> If OWASP decides to have an official ISO/IEC liaison representative,
>> >> I'll be more than glad to make the link between the liaison and the
>> >> ISO/IEC 27034 people during the meeting. I'll be live on site and can
>> >> manage to remotely setup any communications meaning, from plain text
>> >> chat to full video conference. Just hit me up by email.
>> >>
>> >>
>> >> To reinforce the motion, I've also been asked to find a liaison or a
>> way
>> >> to cooperate between OWASP and ISO/IEC JTC 1 SC 22/WG 23 that makes TR
>> >> 24772 "Information technology -- Programming languages -- Guidance to
>> >> avoiding vulnerabilities in programming languages through language
>> >> selection and use".
>> >>
>> >> My strategy on the cooperation part is to simply try to find and reach
>> >> projects that fit with what TR 24772 authors want and to initiate
>> >> communication.
>> >>
>> >> For the liaison, OWASP just needs to go ahead with the idea and I'll
>> >> simply redirect people to them. We can also organize an online meeting
>> >> Wednesday next week to discuss about it with the TR 24772 contact.
>> >>
>> >>
>> >> Finally, consider me available for any online meeting or call during
>> >> those dates and times for the corresponding standard:
>> >> ISO/IEC 27034: January 21st and 22nd, 9AM to 12PM, 1:30PM to 4:30PM
>> >> Eastern Standard Time
>> >> ISO/IEC TR 24772: January 23rd, 10AM to 6PM Eastern Standard Time
>> >>
>> >> Thanks,
>> >>
>> >> - Jonathan
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> On 2013-08-14 22:00, Jonathan Marcil wrote:
>> >>> Hi OWASP Leaders,
>> >>>
>> >>> The current email is to let you know that I have been invited to
>> >>> represent OWASP at an ISO/IEC 27034 (Information technology — Security
>> >>> techniques — Application security) meeting by Luc Poulin the main
>> >>> project editor. It is held this week at Microsoft office in Montreal.
>> >>>
>> >>> Basically I'm here to contribute to the discussion with practical
>> >>> application security knowledge and OWASP projects. I'm, of course,
>> just
>> >>> really speaking "about OWASP" and not "for OWASP".
>> >>>
>> >>> We are also planning to propose some new OWASP projects, and
>> especially
>> >>> one that will create Application Security Controls (ASCs) as described
>> >>> in the standard from OWASP Top 10 entries and other projects.
>> >>>
>> >>> The ASCs in 27034 are actually made in an XML format and are not only
>> >>> documentation but a normalized representation of an application
>> security
>> >>> control, so the mapping is rather different that was done with
>> OpenSAMM
>> >>> on http://www.opensamm.org/2012/04/mapping-samm-to-isoiec-27034/.
>> >>>
>> >>> You can find more details about the standard at :
>> >>> http://www.iso27001security.com/html/27034.html
>> >>>
>> >>> If anyone is interested on the subject, feel free to reply to this
>> >>> email. We haven't even started the process to create the new projects
>> >>> but will welcome any help.
>> >>>
>> >>> Thanks,
>> >>>
>> >> _______________________________________________
>> >> OWASP-Leaders mailing list
>> >> OWASP-Leaders at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 

*Samantha Groves, MBA*

*OWASP Projects Manager*


The OWASP Foundation

Phoenix, USA

Email: samantha.groves at owasp.org

Skype: samanthahz


OWASP Global Projects<https://www.owasp.org/index.php/Category:OWASP_Project>

Book a Meeting with Me <http://goo.gl/mZXdZ>

OWASP Contact US Form <http://owasp4.owasp.org/contactus.html>

New Project Application Form <http://www.tfaforms.com/263506>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140123/4e351911/attachment-0001.html>


More information about the OWASP-Leaders mailing list