[GPC] Application for OWASP Grants on SANS request

Paulo Coimbra paulo.coimbra at owasp.org
Tue May 26 12:29:50 EDT 2009


Dinis, Juan,

I believe this page http://www.owasp.org/index.php/Funds_available_for_OWASP_Projects is not up to date and should have been removed or actualized. However, I am carbon copying the GPC to have their say.

As for Juan's proposal, in my view, the appropriate frame to deal with it is the forthcoming OWASP SoC 09 http://www.owasp.org/index.php/OWASP_Season_of_Code_2009.

Thanks, 

Paulo Coimbra,
OWASP Project Manager


> >-----Original Message-----
> >From: Dinis Cruz [mailto:dinis.cruz at owasp.org]
> >Sent: terça-feira, 26 de Maio de 2009 16:47
> >To: Calderon, Juan Carlos (GE, Corporate, consultant);
> >paulo.coimbra at owasp.org
> >Cc: Juan C Calderon
> >Subject: Re: Application for OWASP Grants on SANS request
> >
> >Hi paulo, following our call earlier today, please find below Juan's
> >proposal
> >
> >Dinis Cruz
> >
> >On 25 May 2009, at 06:50, "Calderon, Juan Carlos (GE, Corporate,
> >consultant)" <juan.calderon at ge.com> wrote:
> >
> >> Hello Dinis
> >>
> >> I want to apply for "Questions for SANS" project sponsored by SANS,
> >> here is the information requested on the Grants page:
> >>
> >>    *  Your educational and professional background
> >> I am Computer Systems Engineer with distributed network
> >> specialization at Instituto Tecnológico de Zacatecas in Mexico(1999)
> >> , currently I am coursing a Master degree in electronic commerce at
> >> ITESM one of the most recognized universities in Latin America
> >(2009).
> >>
> >> About my professional background here is summary:
> >> - More than 10 years developing applications mainly on Microsoft
> >> technologies like ASP 2.0 and 3.0, VB 3.0-6.0, ASP.NET and have
> >> experience with Java Applets, Servlets, JSPs and MVC frameworks
> >> (custom made and Struts).
> >> - Non-Official certifications for Java Fundamentals, Active Server
> >> Pages (Master), C#, Microsoft Security, ASP.NET (Master), RMDB
> >> Concepts and AJAX. See public transcript 1117931 at brainbench.com
> >> site.
> >> - My English level is fluent, I got 915 points at Test of English
> >> for International Communication (TOEIC - 2005) and I keep daily
> >> communication with English speaking people in different places of
> >> the world during these years.
> >> - Member of Microsoft MVP program in Mexico
> >> - Project Management experience of 1.5 years on a team of 22
> >> security auditors
> >> - I am currently Application Security research leader (1 year)
> >> identifying industry trends on application security and keeping
> >> Application Softtek Security Services world-class level.
> >> - On the quality area, Sig Sigma Black belt Trained and Green Belt
> >> Certified (paper certificate in step)
> >>
> >>    * Application security experience and accomplishments
> >> - I have being working on the application security area for more
> >> than 8 years doing application security code reviews, black box pen
> >> testing and consultancy. My expertise is as follows:
> >>    - Java. About 3 million lines of code (~120 app reviews)
> >>    - .NET, Classic ASP, mainframe and other legacy technologies for
> >> about 2.5 million lines (80 app reviews)
> >> - Certified Software Security Lifecycle Professional (May 09)
> >>
> >>    * Participation and leadership in open communities
> >> - Participation in OWASP since 2005 as coordinator of OWASP Spanish
> >> project with minor contributions to some documents
> >> - OWASP SoC 2008 where I participated with 2 project OWASP
> >> Internationalization (finished on time only 3% did it) and OWASP
> >> Classic ASP Security Project the both of them completed by now.
> >> - OWASP Spanish project translated the OWASP site (all major
> >> sections) and all document projects to Spanish.
> >> - Participated with OWASP at OWASP NY 2008 conference and 2008
> >> Summit at Portugal.
> >>
> >>    * The opportunity, challenges, issues or need your proposal
> >> addresses
> >> My objective is to solve the need of 200 questions DB with the
> >> quality and confidence of my strong application security background
> >> for Java language security.
> >>
> >>    * Milestones and objectives
> >> Milestones will be defined depending on the scheduled selected
> >> (according to the 2 options mentioned below)
> >>
> >> Objectives
> >> - Keep focused on Java technology documentation available from Sun
> >> and OWASP documentation and tool projects open to the public to
> >> avoid any controversy and make questions "inarguable" (as much as
> >> possible)
> >> - Avoid to put attention on definitions or acronyms, but on best
> >> practices and root causes of application (in)security
> >> - No ambiguous or captious questions.
> >> - No Java language "hidden" issues
> >> - Strong emphasis on app security; No complex Java syntax questions
> >> with no app security just "to catch" examinees.
> >> - Avoid assumptions and "notes" into the questions, they should be
> >> concrete and specific.
> >> - Focus on measuring learning on application security not on memory
> >> capacity of the examinee.
> >>
> >>    * Specific activities and who will carry out these activities
> >> - Compile a series of open web resources from Sun and OWASP
> >> (evaluate resources in well known Java communities and add them if
> >> considered strong enough)- Juan Carlos
> >> - Gather SANS requirements and guidelines on the question set - Juan
> >> Carlos/Dinis
> >> - Create a initial series of 20 questions and validate them with Sun
> >> Java Programmer Certified people, Expert application security
> >> auditors and selected OWASP people at - Java and other projects to
> >> get feedback on the quality of them (this set is the one to be
> >> disclosed to OWASP).
> >> - Elaborate a complementary set of 180 questions that accomplish the
> >> initial objectives and any proved feedback from previously mentioned
> >> actors. - Juan Carlos
> >> - Send final question set for acceptance to SANS and rework them if
> >> necessary. - Juan Carlos
> >> - Deliver a document with the questions and all the information on
> >> this email to close this phase of the project - Juan Carlos
> >>
> >>    * Specific deliverables and a rough project schedule so we can
> >> track progress
> >> 01 Jun - Start Date
> >> 05 Jun - Gather requirements and guidelines from SANS
> >> 11 Jun - Compile a series of resources
> >> 20 Jun - Initial Set of questions
> >> 28 Jun - Validation of questions and adjustments to objectives
> >> 26 Jul - 50% advance, 100 questions tollgate
> >> 22 Aug - Send 200 questions to SANS for confirmation and rework if
> >> necessary
> >> 30 Aug - Due Date
> >>
> >>    * Long-term vision for the project
> >> I think I will also be able to help with the .NET questions set, but
> >> I think you can decide that after the delivery. About the Java
> >> project I expect this question set to help SANS certification be the
> >> de facto Java security developer professional certification.
> >>
> >>    * Any other reasons why you and your project should be selected
> >> I know how to deliver. Also, I will be supporting my deliverables on
> >> certified Sun Programmers on my company like Aldo Solis and Karina
> >> Medina to compliment my strong application security background.
> >> Finally I could include more and very qualified people to the
> >> project to finish on time and with the promised quality level.
> >>
> >> Regards,
> >>      Juan C Calderon, CSSLP
> >>       Research Leader  (Contractor of Softtek)
> >>    D *879-7858
> >>    T +52 (449) 910-7858
> >>    E juan.calderon at ge.com
> >>    Softtek GDC Aguascalientes
> >>
> >> IMPORTANT: The documents and files attached to this transmission
> >> contain confidential information that must be kept secret by law.
> >> This information is for the exclusive use of the specified recipient
> >> whose name appears in  this transmission. If you have received this
> >> message by mistake, please notify us immediately by return e-mail
> >> and delete the file and its attachments. You are hereby notified
> >> that any dissemination, copying, distribution or adoption of any
> >> action arising from the confidential information contained herein is
> >> strictly prohibited. Any violation will be penalized by law.
> >>



More information about the Global-projects-committee mailing list