[Owasp-leaders] The OWASP Security Ecosystem Project
jeff.williams at owasp.org
Wed Feb 17 15:46:43 EST 2010
This is about building *technology specific* security ecosystems. A major
SAAS player came to us recently and asked for help building out the ESAPI
for their platform (soon to be public). We want to help them build not only
security controls, but a thriving ecosystem with researchers, developers,
guidance, research papers, standards, tools, conferences, forums, etc.
That's the path to a secure technolgoy - open discussion, learning, and
Currently OWASP is kind of like this for "web technology" in general. But we
have only fragments that focus on specific technologies - a T10 for Rails,
an ESAPI for Cold Fusion, a Java project, etc. We haven't really built a
technology specific ecosystem for anything. yet.
From: Boberski, Michael [USA] [mailto:boberski_michael at bah.com]
Sent: Wednesday, February 17, 2010 3:36 PM
To: Jeff Williams
Subject: RE: [Owasp-leaders] The OWASP Security Ecosystem Project
Hi Jeff. Isn't this what OWASP is already? Not trying to be difficult; I
From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Jeff Williams
Sent: Wednesday, February 17, 2010 12:38 PM
To: owasp-leaders at lists.owasp.org
Subject: [Owasp-leaders] The OWASP Security Ecosystem Project
The time has come for us to do even more to lead technology companies
towards getting their software secure! One key component of achieving
secure software is to have a thriving community ecosystem focused on the
security of the technology. A few organizations are starting to build these,
like Microsoft's BlueHat community and perhaps a few others. But there's a
huge opportunity for us to do better and OWASP is uniquely positioned to
lead this important effort.
The OWASP Security Ecosystem Project
OWASP has recently been approached by several large SaaS vendors to help
them work improve their security. We'll be announcing these vendors and
launching their ecosystems as soon as we get permission. Now is the time
for us to organize our "Security Ecosytem Project" so that we are ready to
help get these programs off the ground quickly and successfully.
So what is a "security ecosystem"?
Nobody (and no company) can build secure software by themselves. We have
seen that vulnerability research can help to drive security forward in
companies, but it's a painful process. We envision a partnership between
technology platform vendors and a thriving ecosystem focused on the security
of their technology. The ecosystem will include researchers (both builders
and breakers), tools, libraries, guidelines, awareness materials, standards,
education, conferences, forums, feeds, announcements, and probably more.
Why collaborate with vendors?
It might be possible for OWASP to try to start an ecosystem without the
vendor's involvement. In fact the OWASP Java and .NET project partially fit
that description. But these efforts may seem like a threat to technology
vendors. Vendors might start their own ecosystem, but it is much more
likely to succeed with an independent partner like OWASP. The OWASP
Ecosystem Project is intended to help create a collaborative open effort
focused on improving the security of the technology by focusing on
visibility, understanding, and informed decisions about risk. OWASP's
independence and positive approach makes us the perfect environment for
these ecosystems to grow.
How do we get started?
The first step is to create a framework for a healthy security ecosystem!
Then we can choose a few key technologies and vendors that want to work with
us to start. We need to pull together the materials we have and other
materials out on the net into a OWASP Security Ecosystem Portal. To grow the
ecosystem, we'll solicit research, tools, and other materials and work with
both end-users and the vendor to focus on eliminating the key risks
associated with the technology.
This could mark the dawning of a new collaborative era of application
security, where companies actively engage with security researchers in order
to make their products better. Everyone benefits by creating an ecosystem
focused on fostering transparency. The time has come for security experts
and software developers to collaborate. The stakes are way too high to waste
time and effort on obscurity and infighting.
If you're interested in helping get this program off the ground, we're
collaborating on defining the security ecosystem on the OWASP wiki at
http://www.owasp.org/index.php/Security Ecosystem Project. We're looking for
energetic technical leaders who would like to build a thriving security
ecosystem around a technology. If you have at least 10 hours a week to
dedicate to this important effort, and you think you're the right person,
contact us at owasp at owasp.org.
Jeff Williams, CEO
Aspect Security, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders