<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc="http://microsoft.com/officenet/conferencing" xmlns:D="DAV:" xmlns:Repl="http://schemas.microsoft.com/repl/" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda="http://www.passport.com/NameSpace.xsd" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="&#1;" xmlns="http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
 /* Font Definitions */
 @font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:"Book Antiqua";
        panose-1:2 4 6 2 5 3 5 3 3 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
        {mso-style-priority:34;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:.5in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
span.EmailStyle17
        {mso-style-type:personal-reply;
        font-family:"Book Antiqua","serif";
        color:black;
        font-weight:normal;
        font-style:normal;
        text-decoration:none none;}
.MsoChpDefault
        {mso-style-type:export-only;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
        {page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext="edit">
  <o:idmap v:ext="edit" data="1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=EN-US link=blue vlink=purple>

<div class=Section1>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif";color:black'>Hi
John. No worries.<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif";color:black'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal>[John] Does &quot;listings are currently required to provide
information&quot; mean &quot;the list has to include certain information about
each provider&quot;?<o:p></o:p></p>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

<p class=MsoNormal><b><span style='color:#4F81BD'>[Mike] Yes. For example, for &#8220;Verification&#8221;,
the following information is needed: &#8220;Provider listings are required to
include the following information: company name and link to corporate web site,
company location and markets served, company area(s) of application technology
expertise, ASVS verification levels offered; approach to performing
verifications, and contact name and email.&#8221;<o:p></o:p></span></b></p>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

<p class=MsoNormal>[John] What are &quot;descriptions of approaches&quot;?<o:p></o:p></p>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

<p class=MsoNormal><b><span style='color:#4F81BD'>[Mike] How one would go about
performing e.g. verification. For example, for verification: &#8220;Acme
Application Security Co.'s approach to performing dynamic scans (1A) combines
passive vulnerability scanning with manually testing areas of interest. Our
approach to performing source code scans (1B) targets both application code and
goes beyond ASVS Level 1A requirements to additionally scan any open source
underlying frameworks and libraries that were modified or extended to create
your application. All reports are tailored to meet organization requirements.&#8221;<o:p></o:p></span></b></p>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

<p class=MsoNormal>[John] Could you given an example of a &quot;given
service&quot;?<o:p></o:p></p>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif";color:black'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><b><span style='font-family:"Book Antiqua","serif";
color:#4F81BD'>[Mike] Yes: &#8220;Verification&#8221; (for example, code review
according to ASVS requirements), &#8220;Implementation Services&#8221; (for
example, calling ESAPI for Java from a framework), &#8220;Process Improvement&#8221;
(process improvement according to each of the SAMM business functions), and &#8220;Training&#8221;
(training using an OWASP Guide).<o:p></o:p></span></b></p>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif";color:black'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif";color:black'>Best,<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif";color:black'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif";color:black'>Mike
B.</span><span style='font-family:"Calibri","sans-serif";color:black'><o:p></o:p></span></p>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif";color:black'><o:p>&nbsp;</o:p></span></p>

<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>

<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> owasp-leaders-bounces@lists.owasp.org
[mailto:owasp-leaders-bounces@lists.owasp.org] <b>On Behalf Of </b>John
Wilander<br>
<b>Sent:</b> Monday, May 24, 2010 2:44 PM<br>
<b>To:</b> owasp-leaders@lists.owasp.org<br>
<b>Subject:</b> Re: [Owasp-leaders] RFC: Two proposed next tweaks to the
services registry<o:p></o:p></span></p>

</div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

<p class=MsoNormal style='margin-bottom:12.0pt'>Hi Michael (and the rest of the
leaders)!<o:p></o:p></p>

<div>

<p class=MsoNormal>I'm sorry but I don't understand what you mean by &quot;OWASP
commercial services registry provider listings are currently required to
provide information that includes descriptions of approaches to performing a
given service.&quot;<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

</div>

<div>

<p class=MsoNormal>Does &quot;listings are currently required to provide
information&quot; mean &quot;the list has to include certain information about
each provider&quot;?<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>What are &quot;descriptions of approaches&quot;?<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>Could you given an example of a &quot;given service&quot;?<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

</div>

<div>

<p class=MsoNormal>I'm not a native English speaker I'm afraid. Sorry.<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

</div>

<div>

<p class=MsoNormal>&nbsp;&nbsp; Regards, John<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

</div>

<div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

<div>

<p class=MsoNormal>2010/5/24 Boberski, Michael [USA] &lt;<a
href="mailto:boberski_michael@bah.com">boberski_michael@bah.com</a>&gt;<o:p></o:p></p>

<div>

<div>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-family:"Book Antiqua","serif";color:black'>Dear Colleagues,</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-family:"Book Antiqua","serif";color:black'>&nbsp;</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-family:"Book Antiqua","serif";color:black'>As you know, I have been
working on the OWASP commercial services registry/commercial services board. </span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-family:"Book Antiqua","serif";color:black'>&nbsp;</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-family:"Book Antiqua","serif";color:black'>We&#8217;re basically
shooting for a phone book that&#8217;s sorted according to some OWASP artifacts
as they are currently categorized, to try to nudge the planet along in adoption
of them, to get consumers of services of those types to ask for them, by making
it easy to find such service providers. </span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-family:"Book Antiqua","serif";color:black'>&nbsp;</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-family:"Book Antiqua","serif";color:black'>Towards the end of
continuing its development, there are a next set of proposed updates that we
would like your opinion on. A survey has been setup here: <a
href="http://www.surveymonkey.com/s/9JDN98P" target="_blank">http://www.surveymonkey.com/s/9JDN98P</a>
&nbsp;If you can spare a few minutes to provide your input, it would be
appreciated. The cutoff date is the end of the week.</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-family:"Book Antiqua","serif";color:black'>&nbsp;</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-family:"Book Antiqua","serif";color:black'>Best,</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-family:"Book Antiqua","serif";color:black'>&nbsp;</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-family:"Book Antiqua","serif";color:black'>Mike B.</span><o:p></o:p></p>

</div>

</div>

<p class=MsoNormal style='margin-bottom:12.0pt'><br>
_______________________________________________<br>
OWASP-Leaders mailing list<br>
<a href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><o:p></o:p></p>

</div>

<p class=MsoNormal><br>
<br clear=all>
<br>
-- <br>
John Wilander<br>
Chapter leader OWASP Sweden, <a href="http://owaspsweden.blogspot.com">http://owaspsweden.blogspot.com</a><br>
Conference chair OWASP AppSec Research 2010, <a href="http://owasp.se">http://owasp.se</a><o:p></o:p></p>

</div>

</div>

</body>

</html>