[Owasp-webcert] OWASP Evaluation and Certification Criteria

Mark Curphey mark at curphey.com
Sun Aug 5 12:11:25 EDT 2007


For those that want to see some progress attached is the latest draft. 

1. Remember the idea is to build a template from which we can derive
individual Evaluation and Certification Criteria or indeed a complete
scheme. What you see is the template from which we will "configure" a
reference implementation. This approach is scalable and I have heard from a
few of you off-line that you really like this and a few banks plan to adopt
it which is great news! This will allow Big Co X or Big Co Y to choose their
password quality or link to their own secure code standards without being
constrained by a generic lowest common denominator approach but agreeing on
the big ticket items. The idea is not to cover every possible thing. 

2. Authorization - I need some help with this. What do we need to define
here?

I plan to complete the Process and People parts tomorrow and then configure
the reference implementation. This will be the one with tangible values and
not the cut and paste <insert here>.

Please don't waste time on detailed feedback (especially for grammar) BUT I
would like commentary and feedback on the topics included in Technology and
Process. Are there any missing? 

Note: This has highlighted that there is a need for a great deal of
supporting material such as secure coding standards and detailed How To Test
for specific issues. This is both an issue and an opportunity for OWASP to
pull together various projects in a cohesive way. 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OWASP Evaluation and Certification Criteria.doc
Type: application/msword
Size: 715776 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-webcert/attachments/20070805/27a05c93/attachment-0001.doc 


More information about the Owasp-webcert mailing list