[Owasp-webcert] OWASP Evaluation and Certification Criteria

Mark Curphey mark at curphey.com
Wed Aug 8 09:34:44 EDT 2007

Hi Andre


First off as always thanks for the comments and taking time to provide
feedback. Its always appreciated and well received. 


>From my perspective the actual idea was to be tactical ie specify controls
that easily be measured. Its already pretty scary when you start to think of
simple things for process as you pointed out. I could see a strategy to meet
the criteria as being very powerful but "I" think its out of scope of this
exercise at least. That said I am starting to become quite passionate about
it and I hope to present it at the next OWASP in San Jose. Maybe it can spin
off a set of satellite projects that could support it or it could support.
One maybe a strategic program that is interlocked. 


Of course I maybe mis-reading this and you maybe saying we should be saying
all companies should have a strategy. While I agree the question is how to
do measure a pass or fail. First you have to define what a good one is and
by implication what isn't good and then show how to measure against it. If
we just say "you have to have a strategy" it seems its like its like the PCI
"you have to have a code audit". What does it really mean? Maybe it's a stub
as Jeff suggested in his mail. 


Let me chew this all over. I am planning to spend Thurs and Friday on
updates to this. 




From: andreg at gmail.com [mailto:andreg at gmail.com] On Behalf Of Andre Gironda
Sent: Monday, August 06, 2007 6:01 PM
To: owasp-webcert at lists.owasp.org; Mark Curphey
Subject: Re: [Owasp-webcert] OWASP Evaluation and Certification Criteria


On 8/5/07, Mark Curphey <mark at curphey.com> wrote:
> Please don't waste time on detailed feedback (especially for grammar) BUT
> would like commentary and feedback on the topics included in Technology
> Process. Are there any missing?


What I see here in these PPT sections is all tactical based information.
The new parts of the document appear to tell organizations which techniques
need attention to overall or specific security assurance issues as
"checklists" or "tasks".  However, the document offers no direction or
tools/techniques for strategy.  The document instead appears to be selling
itself as the strategy. 

Setting aside controls for strategic efforts, as opposed to tactical ones -
seems to be difficult at first.  However, there are planning methods which
can allow an organization to develop strategic issues that map into
individual tactical issues.  One example of this I found when reading
Context Analysis <http://en.wikipedia.org/wiki/Context_analysis>  is called
SWOT-i.  I was amazed at how this could easily be adopted or extended for
building a security strategy.  I even considered replacing the word
"competitor" with "adversary" in the Wikipedia article just to create some
new ideas around a very robust security management strategy tool. 

What I'm trying to say here, is that while the PPT-based assurance
techniques are great - there is nothing to pull them together.  Suggesting a
strategy tool such as context analysis for the overall Evaluation Criteria
will allow PPT to provide goals and map strategic techniques to tactical
ones.  Many organizations miss this mark - and that "strategy" is something
you base your future on after you've already built a scorecard.  I think
strategy is not only a mandatory initial step - but also an important
continual tool for organizations to use for improvement.  Strategy tools
also uncover organizational and culture problems - something that checklists
and well-designed processes will often miss or completely fail to take into

I was thinking maybe strategic tools would be added to the process section,
but you filled it with security policy, SDL (requirements, architecture,
threat modeling, coding standards, software testing, inspection), and change
management (or do you mean build and release?). 

> Note: This has highlighted that there is a need for a great deal of
> supporting material such as secure coding standards and detailed How To
> for specific issues. This is both an issue and an opportunity for OWASP to

> pull together various projects in a cohesive way.

Andrew van der Stock is writing Guide 3.0 and Daniel Cuthbert is writing
Testing Guide v3.  Maybe they can help you?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-webcert/attachments/20070808/91586f2a/attachment.html 

More information about the Owasp-webcert mailing list