OWASP Application Security Codes of Conduct Project

As a volunteer to the open and free knowledge created and distributed by the Open Web Application Security Project (OWASP), I have contributed time to a number of projects and am a member of its Global Industry Committee. But until this month I haven't been an actual project leader.

But now I have become project leader of the OWASP Codes of Conduct Project. This is intended to be the home for a series of documents that define a small number of minimal requirements for other types of organisation, specifying what are the most effective ways they could support OWASP's mission (to make application security visible, so that people and organizations can make informed decisions about true application security risks).

Three initial documents were drafted during the working session on Defining a Minimal AppSec Program for Universities, Governments, and Standards Bodies at the OWASP Summit 2011 which was led by Jeff Williams, Dave Wichers and Dinis Cruz. Although I did not attend this session due to clashing objective, I subsequently contributed to the draft documents and created a document aimed at a fourth type of organisation. The documents were labelled "codes of conduct" to imply they define normative standards, representing a minimum baseline, which should not be difficult to achieve.

During the summit, two other working sessions (Outreach to Educational Institutions and Certification) defined another code of conduct, for application security skill certifying bodies. The primary contributors were Jason Li, Jason Taylor, Martin Knobloch, Matthew Chalmers and Justin Searle.

OWASP wanted to formalize, complete and create release-quality documents, and therefore I offered to start a project and become its leader. The project will nurture these initiatives and collect feedback on the draft documents with the aim of issuing and promoting the documents later this year.

I have already standardised the formatting and content of the five codes of conduct, and raised some questions for the community to discuss. The version 1.1 (draft) documents are available from the OWASP web site as follows:

• The OWASP Application Security Code of Conduct for Government Bodies (The OWASP Green Book)
  • English version PDF
  • English version MS Word
• The OWASP Application Security Code of Conduct for Educational Institutions (The OWASP Blue Book)
  • English version PDF
  • English version MS Word
• The OWASP Application Security Code of Conduct for Standards Groups (The OWASP Yellow Book)
  • English version PDF
  • English version MS Word
• The OWASP Application Security Code of Conduct for Trade Organizations (The OWASP Purple Book)
  • English version PDF
  • English version MS Word
• The OWASP Application Security Code of Conduct for Certifying Bodies (The OWASP Red Book)
  • English version PDF
  • English version MS Word

If enough organisations can undertake these minimal requirements, we see this having a significant contribution to better application security. My plan is to gather feedback on these in the next month so that we can create peer-reviewed release-quality documents by the end of September. There is some further information on the OWASP Blog.

If you have any comments, views or ideas for these, or have skills or contacts to assist with their promotion, please let me know. The project has its own mailing list.