[Global_education_committee] Fwd: [Owasp-leaders] 2010 Budgeting

Seba seba at owasp.org
Wed Aug 5 07:51:54 EDT 2009

James, GEC,
This is actually something the GEC should formulate advise on.
Who starts the OWASP 'stub' so we can all add our experiences and start
collecting feedback from the field ?



---------- Forwarded message ----------
From: McGovern, James F (HTSC, IT) <James.McGovern at thehartford.com>
Date: Mon, Aug 3, 2009 at 4:56 PM
Subject: [Owasp-leaders] 2010 Budgeting
To: owasp-leaders at lists.owasp.org

 This week, I have the painful task of defining next year's application
security budget and am curious about how others have approached this
activity. Right now, I am focused on defining the education portions and
would love insight into what other large enterprises are doing in the way of
training their IT staff. If you have insight into the following, please let
me know:

   - *Code Review*: We have a wonderful guide on reviewing code. Has anyone
   turned this into a course? Nowadays, almost no one sits down and reads where
   the preference is to be walked through something.
   - *Forensics for Developers*: Let's acknowledge that the masses of
   software developers still remain blissfully ignorant when it comes to
   understanding application security. Even for those who are starting to ramp
   up, their velocity may be inadequate to remediate tons of legacy code and
   therefore when they get 0wn3d they need to have a clue as to figuring out
   what happened.
   - *Business Analyst Misuse Cases*: I believe that developers shouldn't be
   the only one's thrown under the bus when something bad happens. Since we can
   acknowledge that if the business can't articulate a business requirement
   around security (other than high-level meaningless phrases such as "I want
   the application to be secure") then we need to acknowledge that the BA needs
   to capture something else other than functional requirements.
   - *Testing Software*: We can acknowledge that QA should be using means
   other than peering thru the UI yet this doesn't happen. Looking for
   something that will help them not only know the basics such as using
   WebScarab but also something that will turn them into Junior Rsnakes,
   Grossmans, Arshan's, etc

Need to know which OWASP firms have training offerings that align with my
current thinking?

This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
information.  If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited.  If
you are not the intended recipient, please notify the sender
immediately by return e-mail, delete this communication and destroy
all copies.

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global_education_committee/attachments/20090805/b855d617/attachment.html 

More information about the Global_education_committee mailing list