|
Plan to modify assurance case format (more claims, use SACM notation) - any thoughts?
Other than describing the SACM's ArgumentReasoning symbol as a "half-rectangle", I have no objections. (A "half-rectangle" is also itself a rectangle, so I think some alternate description would be be
Other than describing the SACM's ArgumentReasoning symbol as a "half-rectangle", I have no objections. (A "half-rectangle" is also itself a rectangle, so I think some alternate description would be be
|
By
Kevin W. Wall
· #601
·
|
|
Need some advice addressing "unfixable" publicly known vulnerabilities
CII Badging community, I just updated the ESAPI project on the CII Badges site to account for a newly discovered CVE. Specifically, I added this verbiage: Most Software Compositional Analysis tools /
CII Badging community, I just updated the ESAPI project on the CII Badges site to account for a newly discovered CVE. Specifically, I added this verbiage: Most Software Compositional Analysis tools /
|
By
Kevin W. Wall
· #564
·
|
|
Did logins change because of the CII-Badges new spam defenses?
David, et al, Does the username / password for https://bestpractices.coreinfrastructure.org/ now require it to be done via GitHub? I just tried to login using my Gmail account (which was how I registe
David, et al, Does the username / password for https://bestpractices.coreinfrastructure.org/ now require it to be done via GitHub? I just tried to login using my Gmail account (which was how I registe
|
By
Kevin W. Wall
· #562
·
|
|
Proposal: Use CVSS version 3, not version 2, in CII Best Practices measures
I have no objections, but how will moving from CVSSv2 to CVSSv3 affect things if NVD only has CVSSv2 scores available for the particular CVE? Would there be an expectation that we would need to deal w
I have no objections, but how will moving from CVSSv2 to CVSSv3 affect things if NVD only has CVSSv2 scores available for the particular CVE? Would there be an expectation that we would need to deal w
|
By
Kevin W. Wall
· #549
·
|
|
C++ static analysis tools for CII badge
<daniel.heckenberg@...> wrote: Daniel, The DHS SWAMP (https://www.dhs.gov/science-and-technology/csd-swamp) might have some things. I recall talking to Kevin Greene (BCC'd) at an AppSec USA conf
<daniel.heckenberg@...> wrote: Daniel, The DHS SWAMP (https://www.dhs.gov/science-and-technology/csd-swamp) might have some things. I recall talking to Kevin Greene (BCC'd) at an AppSec USA conf
|
By
Kevin W. Wall
· #527
·
|
|
Silver crypto (TLS) requirements - thoughts from Zephyr
David, First, apologies for top posting. I don't usually do that, but I have a bunch of emails to reply to tonight. In general, I am against relaxing the 2 silver requirements for Zephyr or any other
David, First, apologies for top posting. I don't usually do that, but I have a bunch of emails to reply to tonight. In general, I am against relaxing the 2 silver requirements for Zephyr or any other
|
By
Kevin W. Wall
· #452
·
|
|
Proposal: For sites_https, allow GitHub pages + custom domain + CloudFlare to implement HTTPS for project site
That's fine, but I think that it should be worded so that it doesn't come across as an endorsement for CloudFlare. E.g., such as CloudFlare, Akamai, Rackspace, MaxCDN, <insert-your-favorite-CDN-provid
That's fine, but I think that it should be worded so that it doesn't come across as an endorsement for CloudFlare. E.g., such as CloudFlare, Akamai, Rackspace, MaxCDN, <insert-your-favorite-CDN-provid
|
By
Kevin W. Wall
· #364
·
|
|
Proposal: For sites_https, allow GitHub pages + custom domain + CloudFlare to implement HTTPS for project site
Quick question: Are there any CDNs that the security community should NOT accept as okay, e.g., ones that have poor reputation wrt security? If so, we should list them or criteria of what makes them b
Quick question: Are there any CDNs that the security community should NOT accept as okay, e.g., ones that have poor reputation wrt security? If so, we should list them or criteria of what makes them b
|
By
Kevin W. Wall
· #356
·
|
|
Ideas for higher-level badges
David, My $.02 on the early draft. Note that I've not gone back to review the base criteria and it's been awhile since I've revisited that so apologies if I mention something that is already there. **
David, My $.02 on the early draft. Note that I've not gone back to review the base criteria and it's been awhile since I've revisited that so apologies if I mention something that is already there. **
|
By
Kevin W. Wall
· #349
·
|
|
Is there consensus of when we should consider a particular badging issue as being addressed?
Just wondering what everyone's thoughts are about when a project should consider a particular issue related to the badging process to be completed. Can we / should we consider something completed only
Just wondering what everyone's thoughts are about when a project should consider a particular issue related to the badging process to be completed. Can we / should we consider something completed only
|
By
Kevin W. Wall
· #337
·
|
|
Idea: Email reminders for not-passing, haven't edited in a while
David, You wrote: > There are a lot of moving parts in this algorithm, but I think it's clear. I just want to make sure that we avoid lots of nagging - the goal is to encourage people, not to bother t
David, You wrote: > There are a lot of moving parts in this algorithm, but I think it's clear. I just want to make sure that we avoid lots of nagging - the goal is to encourage people, not to bother t
|
By
Kevin W. Wall
· #324
·
|
|
Idea: Email reminders for not-passing, haven't edited in a while
David, I prefer the original 60 day proposal over the 30 day notice. Some of the projects listed probably don't have all the most volunteer help (I know ESAPI does not), and addressing some of these t
David, I prefer the original 60 day proposal over the 30 day notice. Some of the projects listed probably don't have all the most volunteer help (I know ESAPI does not), and addressing some of these t
|
By
Kevin W. Wall
· #322
·
|
|
Most-missed criteria for projects
David, Sorry a bit late with this feedback. I hope it is the type of feedback that you are looking for. I can't speak for others, but I guess the one that I'm "struggling" with the most (translate "is
David, Sorry a bit late with this feedback. I hope it is the type of feedback that you are looking for. I can't speak for others, but I guess the one that I'm "struggling" with the most (translate "is
|
By
Kevin W. Wall
· #309
·
|
|
Wiki page on impacts
David, Do you also want to know changes we have made (thus far) for the sole purpose of pursuing a badge not yet obtained? Because, I may not be able to recall all of them once we finally arrive as th
David, Do you also want to know changes we have made (thus far) for the sole purpose of pursuing a badge not yet obtained? Because, I may not be able to recall all of them once we finally arrive as th
|
By
Kevin W. Wall
· #282
·
|
|
Summary data from badges (so far)
Okay, well here it is in <https://drive.google.com/file/d/0B3Yc2oc1Z9n5UjBkb2dWWWJpRGM/view?usp=sharing> as an Open Document Spreadsheet (.ods, like what LibreCalc uses). The first worksheet is just t
Okay, well here it is in <https://drive.google.com/file/d/0B3Yc2oc1Z9n5UjBkb2dWWWJpRGM/view?usp=sharing> as an Open Document Spreadsheet (.ods, like what LibreCalc uses). The first worksheet is just t
|
By
Kevin W. Wall
· #261
·
|
|
Summary data from badges (so far)
David, Thanks for taking the time to do this. I plan on taking a look at it this weekend and see if anything interesting jumps out at me. Just one question though...I'm trying to recall if '?' is the
David, Thanks for taking the time to do this. I plan on taking a look at it this weekend and see if anything interesting jumps out at me. Just one question though...I'm trying to recall if '?' is the
|
By
Kevin W. Wall
· #257
·
|
|
GnuPG and some charts...
David, This is interesting, but as an AppSec practitioner, it doesn't address what I'm most interested in, which is where, how, and why are projects failing. I think the most interesting statistic wou
David, This is interesting, but as an AppSec practitioner, it doesn't address what I'm most interested in, which is where, how, and why are projects failing. I think the most interesting statistic wou
|
By
Kevin W. Wall
· #253
·
|
|
Plan to allow specification projects as well as projects with code, per project #180 (ODPi specifications)
I'm in favor of it, with this caveat... just because a specification project uses a FLOSS approved license like CC-BY-4.0 as David mentioned, that would not necessarily imply that resulting spec would
I'm in favor of it, with this caveat... just because a specification project uses a FLOSS approved license like CC-BY-4.0 as David mentioned, that would not necessarily imply that resulting spec would
|
By
Kevin W. Wall
· #245
·
|
|
First impressions on CII Best Practices and badges -- part 3
Actually, I went back and looked at it and it does NOT store plaintext passwords; they are stored as hashes in a text file as: account id | account name | hashed password | roles | lockout | status |
Actually, I went back and looked at it and it does NOT store plaintext passwords; they are stored as hashes in a text file as: account id | account name | hashed password | roles | lockout | status |
|
By
Kevin W. Wall
· #239
·
|
|
Subject: First impressions on CII Best Practices and badges -- part 2
Thanks for that. I fired off an email to them. I'm honestly hoping that it's not as a big of a pain in the ass to get a CPE issued as it is to convince Mitre and them to accept a proposed CVE. (That w
Thanks for that. I fired off an email to them. I'm honestly hoping that it's not as a big of a pain in the ass to get a CPE issued as it is to convince Mitre and them to accept a proposed CVE. (That w
|
By
Kevin W. Wall
· #238
·
|