[Owasp-topten] [Owasp-guide] [OWASP ASVS] RFC: Common numbering proposal # 2

Boberski, Michael [USA] boberski_michael at bah.com
Fri Jan 8 09:45:06 EST 2010

Excellent advice, thank you, I added it to the guidance portion of the wiki page, and will take this advice into account for the next revision.


Mike B.

From: Tobias Christen, DSwiss AG [mailto:tobias.christen at dswiss.com]
Sent: Friday, January 08, 2010 9:30 AM
To: Boberski, Michael [USA]
Cc: Andrew van der Stock; owasp-guide at lists.owasp.org; owasp-application-security-verification-standard at lists.owasp.org; owasp-topten at lists.owasp.org; owasp-testing at lists.owasp.org
Subject: Re: [Owasp-guide] [OWASP ASVS] RFC: Common numbering proposal # 2


I highly appreciate this new numbering and mapping approach.
>From my experience with opensecurityarchitecture.org<http://opensecurityarchitecture.org> and from what I saw at NIST  I can comment that we made the following experience:

 -  adding the (release) year into the numbering scheme can be problematic, because the document has a life cycle that goes over years ....
 -  I would rather try to accommodate a versioning scheme that is human readable in the reference number as well (e.g.  V02, or RevA, or...)

Hope this helps
Best regards

On 08.01.2010, at 14:31, Boberski, Michael [USA] wrote:

Andrew, brilliant. I will update based on your comments/guidance. Thank you!

Mike B.

From: owasp-application-security-verification-standard-bounces at lists.owasp.org<mailto:owasp-application-security-verification-standard-bounces at lists.owasp.org> [mailto:owasp-application-security-verification-standard-bounces at lists.owasp.org] On Behalf Of Andrew van der Stock
Sent: Friday, January 08, 2010 5:14 AM
To: mike.boberski at gmail.com<mailto:mike.boberski at gmail.com>
Cc: owasp-guide at lists.owasp.org<mailto:owasp-guide at lists.owasp.org>; owasp-application-security-verification-standard at lists.owasp.org<mailto:owasp-application-security-verification-standard at lists.owasp.org>; owasp-topten at lists.owasp.org<mailto:owasp-topten at lists.owasp.org>; owasp-testing at lists.owasp.org<mailto:owasp-testing at lists.owasp.org>
Subject: Re: [OWASP ASVS] [Owasp-guide] RFC: Common numbering proposal # 2


I like a unique, and shared identifier within all of OWASP. It might even allow us to get the Honeycomb and other materials integrated in finally!

My main concern is the length.

OWASP-WEBAPP will be the primary prefix for 99% of the materials we have today. Thus everything will start with that.

I'd like for the WEBAPP to drop away, and become:


We don't need to encode values into these as they're for cross-referencing, not stating a fact.

There are several segments relevant to OWASP's interests I think we need to reserve now. Some of these we have material today, and some we don't (but should).

Architecture and Design (AR)
Education (ED)
Risk Management (RM)
Operational Risk (OR)

There will be others as we think about the SDLC in fill in the gaps.


On 08/01/2010, at 12:57 PM, Mike Boberski wrote:

Please see http://www.owasp.org/index.php/Common_OWASP_Numbering for a next proposal, refined based on inputs provided so far.


Owasp-guide mailing list
Owasp-guide at lists.owasp.org<mailto:Owasp-guide at lists.owasp.org>

Owasp-guide mailing list
Owasp-guide at lists.owasp.org<mailto:Owasp-guide at lists.owasp.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-topten/attachments/20100108/79d3de2d/attachment-0001.html 

More information about the Owasp-topten mailing list