[Global_industry_committee] Fwd: The Microsoft SDL Pro Network

Colin Watson colin.watson at owasp.org
Mon Nov 2 07:53:47 EST 2009


Hello Pravir

The question of whether OWASP should/could become a member of the
Microsoft SDL Pro Network was raised on the GIC mailing list, and I
have since spoken with the person responsible for promoting the
network (subsequent briefing email below). As CLASP and Open SAMM
project leader, we wondered what your views were on this, before we
seek wider discussion in the OWASP community.

Regards

Colin


---------- Forwarded message ----------
From: Colin Watson <colin.watson at owasp.org>
Date: 2009/10/28
Subject: Re: [Global_industry_committee] The Microsoft SDL Pro Network
To: Christian Heinrich <christian.heinrich at owasp.org>,
Global_industry_committee <Global_industry_committee at lists.owasp.org>


Christian

I spoke with Katie on Monday as a result of our approach.

The current 'SDL Pro Network' members are all either training or
consultancy organisations, and/or were involved in the development of
the project.  Katie can see an opportunity for OWASP to become a
member, but it would be a different type than these - OWASP's
importance, and significant developer audience, mean it is in a good
position to encourage the types of practices encouraged in lifecycle
security.

The question is whether OWASP wants to become a member.  What (costs)
might that involve?

- referencing the Microsoft SDL / SDL Pro Network from the wiki
     - perhaps new pages about lifecycle issues, and referencing CLASP, SAMM
       and a new page about SDL Pro (and maybe others BSIMM, Cigital Software
       Security Touchpoints???)?
- allowing OWASP to be mentioned on the SDL Pro Network page as a member?
     - logo?
     - link?

At the moment there doesn't seem to be any obligation to contribute
resources in any way to the SDL effort, but I suspect the Global
Industry Committee and others would provide feedback on developer's
experiences and future public drafts and the like.  Would it weaken
CLASP or SAMM in any way?

OWASP would also need to consider whether its impartiality is in any
way affected, and also ensure it is not being seen to promote any
particular vendor.  OWASP materials already reference some vendor's
free and commercial products e.g.

Threat Risk Modeling
http://www.owasp.org/index.php/Threat_Risk_Modeling

Does being a member of SDL Pro Network bring other benefits to OWASP?  Perhaps:

- greater awareness?
- greater acceptance by commercial software development companies?

So we (OWASP) need to have a discussion.  Pravir and Andrew van der
Stock (Development Guide) would seem to be crucial to this. What are
people's views here, and how do you think we should proceed?

Regards

Colin Watson
Global Industry Committee
http://www.owasp.org/index.php/Global_Industry_Committee


More information about the Global_industry_committee mailing list