[Owasp-leaders] What's the "catalyst" project all about?
andreg at gmail.com
Sun Jul 12 00:20:43 EDT 2009
On Sat, Jul 11, 2009 at 9:03 PM, Stephen Craig
Evans<stephencraig.evans at gmail.com> wrote:
> I don't think before I hit "Send"
As an expert on the above subject (and maybe a few of the below ones),
let me provide some feedback.
I think it was Epstein or somebody cool who said, "Isn't it a little
early for maturity models in the appsec space"?
The primary problem here is that we don't have a maturity model for
building maturity models.
Also -- in the case of Catalyst, it appears to be an effort to
integrate ESAPI, ASVS, and other OWASP projects into one big-giant,
dirty rubber-band ball. Apparently SAMM didn't offer this sort of
integration. In other words, BSI-MM had too much Cigital terminology,
but SAMM didn't have enough OWASP terminology.
The fact that SAMM, BSI-MM, and the SANS/MITRE Top 25 have had only a
small percentage of the success compared to the OWASP Top Ten leaves
me happy. I don't think we need more than one marketing-friendly /
lightweight, "one-size supposedly fits-all, but really doesn't fit
any" introduction to the subject matter.
More information about the OWASP-Leaders