Wednesday, July 27, 2011

OWASP Codes of Conduct Project

By Colin Watson

At the summit in Portugal earlier this year, a working session on "Defining a Minimal AppSec Program for Universities, Governments, and Standards Bodies" created a document defining minimal requirements for three types of organization, specifying what are the most effective ways to support OWASP's mission. These are OWASP's objectives for other organizations and do not relate to members or other participants.

The three types of organization were:

- Government Bodies
- Educational Institutions
- Standards Groups

with Jeff Williams, Dave Wichers and Dinis Cruz as primary contributors.

Although I didn't attend that particular session, I was able to contribute to an early draft version of the document, and subsequently created a parallel document for:

- Trade Organizations

At another working session on Certification, the participants created another closely-related document on expectations for:

- Certifying Bodies

with Jason Li, Jason Taylor, Martin Knobloch, Matthew Chalmers and Justin Searle as
primary contributors.

Each document has been give a colour name to make it more identifiable, and to provide a shorter title. Thus the document "The OWASP Application Security Code of Conduct for Government Bodies: is also "The OWASP Green Book".

OWASP would like to formalize, complete and create release-quality documents, and therefore I have offered to start a project and become project leader for the OWASP Codes of Conduct Project. The project will nurture these initiatives and collect feedback on the draft documents with the aim of issuing and promoting the documents later this year. With Paulo Coimbra's welcome assistance, the project and
current draft versions can be found at:

The v1.1 draft documents were created from the summit outcomes, and to date I have:

1) standardized their formatting
2) removed reference to "free membership [of bodies, groups] " where
this does not match current policy
3) removed "free attendance at events" for liaison contacts since
this hasn't been more widely discussed
4) made liaison groups within OWASP less specific since we do not
have a "OWASP Educational Institution Executive Council" for example
5) changed the mandatory Code of Conduct items to a numbered list,
and the recommendations to an alphabetical list to distinguish between
them better
6) added hyperlinks to OWASP resources and a summary sheet on the last page

I would welcome feedback on these using the project's mailing list:

Please contribute in the next 4 weeks, after which I will be seeking project formal reviewers. Some things to be discussed before then:

- have all the contributors been captured correctly?
- the documents do not have licensing or copyright stated
- the Green Book requires government organizations to adopt a
definition of "application security", but in the Yellow Book for
Standards Groups, this is an optional requirement, and perhaps they
should be the same
- some organizations might decide they do everything we suggest, and
we might want to state a form of words for any statement of adoption

PLUS ANYTHING ELSE you feel is important. You may have ideas for another similar document. Please join the mailing list.

Colin Watson

No comments: