[Global_industry_committee] An open letter to the Brazilian Government

Sarah Baso sarah.baso at owasp.org
Wed Apr 20 15:26:29 EDT 2011


Lucas -- this is great!  All GIC members have been advised to look over this
document as we would like to make a committee decision on whether to
endorse/stand behind this doc as you have requested.

Thank you for the follow up and we will hopefully have an answer for you
after our next meeting.

Best Regards,
Sarah Baso

On Wed, Apr 20, 2011 at 1:17 PM, Lucas Ferreira <lucas.ferreira at owasp.org>wrote:

> Hello Colin and GIC members,
>
> I've sent the document to the Brazilian chapters mailing lists and got
> some feedback about the document and its ideas. We now have compiled a
> 1.0 version for the document including the suggestions and comments
> sent to the Brazilian lists. This version was send today to the OWASP
> Portuguese Language Project mailing list and has been published on the
> OWASP wiki (in both https://www.owasp.org/index.php/Category:Brasil
> and https://www.owasp.org/index.php/OWASP_Portuguese_Language_Project)
>
> The final document is directly downloadable from
>
> https://www.owasp.org/images/1/16/Seguranca_na_web_-_uma_janela_de_oportunidades.pdf
>
> I have also updated the rough translation with the new sessions that
> were included because of the discussion on the Brazilian lists. The
> translation is available here to anyone with an @owasp.org username:
>
> https://docs.google.com/a/owasp.org/document/d/1pWNIlMvbl9DueibfrETIRZBj4qxKLjz6DgavTxnYNDQ/edit?hl=en&authkey=CNOWjaQL
>
> Best regards,
>
> Lucas
>
> On Tue, Mar 29, 2011 at 12:26, Colin Watson <colin.watson at owasp.org>
> wrote:
> > Lucas
> >
> > Just to re-iterate one thing.... I think it is *very* important to
> > have input/support from *all* the Brazilian local chapters, regardless
> > of what happens to the document next.
> >
> > Colin
> >
> >
> >
> > On 29 March 2011 15:17, Lucas Ferreira <lucas.ferreira at owasp.org> wrote:
> >> Sarah,
> >>
> >> The letter was written with the goal to send it to the Government and
> >> try to influence government decisions as many NGOs do. In order to
> >> achieve this goal, it needs to be a statement from OWASP, instead of
> >> being just my own opinion. This is what NGOs such as WWF or Greenpeace
> >> do all the time and is certainly part of their success
> >> (
> http://www.worldwildlife.org/what/howwedoit/policy/letterstestimonydocs.html
> ).
> >>
> >> I wanted OWASP to be able to write letters to government officials
> >> with statements such as "On behalf of World Wildlife Fund’s 1.2
> >> million members..."
> >> (
> http://www.worldwildlife.org/what/howwedoit/policy/WWFBinaryitem7101.pdf).
> >> This is much stronger than a letter from myself or my local chapter.
> >> It is this kind of impact I am seeking.
> >>
> >> Unfortunately, in order to avoid bureaucracy, OWASP seems to have no
> >> way to materialize the strength of congregating most of the world
> >> AppSec experts. IMHO, we are loosing an opportunity to make a
> >> difference.
> >>
> >> About what I want from the GIC: I thought that the GIC would be the
> >> "natural" point of entry for my letter, since the goal is to interact
> >> with a government. I really appreciate and have a deep respect for
> >> Colin's advice, but he sent me his own opinion. As far as I
> >> understand, Colin had no intention of speaking on behalf of the
> >> Committee.
> >>
> >> What I really want is to know if I can go ahead and begin sending the
> >> document. Or if I have to change it and make it a personal statement.
> >> It would be great if the GIC could tell me "we're good with it, go
> >> ahead" or "we're good with it, but you need Board's approval". Or just
> >> tell me: "It's not our business", and I would go somewhere else.
> >>
> >> Thanks,
> >>
> >> Lucas
> >>
> >> On Tue, Mar 29, 2011 at 10:27, Sarah Baso <sarah.baso at owasp.org> wrote:
> >>> Lucas,
> >>>
> >>> What else specifically are you looking for from the GIC? Colin gave
> >>> you some feedback, and he is a member of the GIC...
> >>>
> >>> We can try to have someone else take on the task, but im not sure if
> >>> you are just looking for more feedback?
> >>>
> >>> Thanks.
> >>>
> >>> Sarah Baso
> >>>
> >>> On Mar 29, 2011, at 8:15 AM, Lucas Ferreira <lucas.ferreira at owasp.org>
> wrote:
> >>>
> >>>> Hello Tom,
> >>>>
> >>>> OK, I'll assume that the committees can speak on matters related to
> >>>> their missions.
> >>>>
> >>>> Going back to the document I wrote, what is your advice? Until now, I
> >>>> only got some input from Colin and I still don't know if the GIC will
> >>>> look at it. If there is no feedback on this, what should I do?
> >>>> Proceed? Forget it? Ask the Board?
> >>>>
> >>>> Thanks,
> >>>>
> >>>> Lucas
> >>>>
> >>>> On Mon, Mar 28, 2011 at 22:36, Tom Brennan <tomb at owasp.org> wrote:
> >>>>> Its really not that complicated Lucas.  What we want to avoid is the
> edge case as this adds to much bureaucracy to OWASP, I agree we need some
> but that is why we have Global Committee Chairs (
> committees-chairs at lists.owasp.org) as focus groups and the Board to help
> keep things on mission and purpose as well as the overall community.
> >>>>>
> >>>>> Empowerment does work if everyone has the same goals, understands
> that  purpose,  operates with values and ethics in mind see:
> http://www.owasp.org/index.php/About_OWASP
> >>>>>
> >>>>> Semper Fi,
> >>>>>
> >>>>> Tom Brennan
> >>>>> Direct: 973-202-0122
> >>>>> http://www.linkedin.com/in/tombrennan
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> On Mar 28, 2011, at 9:21 PM, Lucas Ferreira wrote:
> >>>>>
> >>>>>> Hello Mauro,
> >>>>>>
> >>>>>> I agree that each committee must be entitled to speak for itself.
> But
> >>>>>> can they speak on behalf of OWASP? How can we guarantee that
> different
> >>>>>> committees will not issue conflicting statements to the public at
> >>>>>> large?
> >>>>>>
> >>>>>> Independent of this issue, will the GIC look at the document itself?
> >>>>>> May I expect to have a position from the GIC about the document?
> >>>>>>
> >>>>>> Thanks,
> >>>>>>
> >>>>>> Lucas
> >>>>>>
> >>>>>> On Mon, Mar 28, 2011 at 10:09, Mauro Flores <mauro.flores at owasp.org>
> wrote:
> >>>>>>> I agree with Lucas about to have an approval process for
> communications
> >>>>>>> and I don't know if is a formal process defined in OWASP.
> >>>>>>> I think that each committee is independent enough to speak on
> behalf of
> >>>>>>> itself, if he has a previous internal voting. I mean, if we all
> vote to
> >>>>>>> publish a letter or something like that in the name of the OWASP
> GIC, we
> >>>>>>> should be able to do it.
> >>>>>>>
> >>>>>>> I also think that to have an unique OWASP voice on something should
> be a
> >>>>>>> little more complex. If we want to say the this letter/publishing
> >>>>>>> represents the ideas and values of all the OWASP organization... is
> >>>>>>> complex. More than that, I also wonder if we need that... shouldn't
> be
> >>>>>>> enough that a committee takes a position on a certain issue that
> >>>>>>> involves its? Isn't enough for the companies the resolutions that
> the
> >>>>>>> OWASP Committees takes? Do they need a higher approval??  I think
> >>>>>>> not...
> >>>>>>> just my thoughts.
> >>>>>>>
> >>>>>>> regards, Mauro Flores
> >>>>>>>
> >>>>>>> El jue, 24-03-2011 a las 18:12 -0300, Lucas Ferreira escribió:
> >>>>>>>> Hello Colin,
> >>>>>>>>
> >>>>>>>> April 1st will be pretty busy for me, so I won't be able to join
> the conf.
> >>>>>>>>
> >>>>>>>> IMHO, if OWASP wants to work with governments, it must have a
> process
> >>>>>>>> to allow someone to speak on behalf of the organization. That's
> what I
> >>>>>>>> need now. The point is not to have this specific document
> approved,
> >>>>>>>> but to bring the OWASP point of view to the government. The
> rationale
> >>>>>>>> for this is the same used by other orgs, such as WWF or
> Greenpeace: to
> >>>>>>>> gain strength. If something is the point of view of OWASP, it can
> get
> >>>>>>>> more attention than my own PoV, or my chapter's PoV. If we share a
> >>>>>>>> common understanding of how things should be done, we need to have
> >>>>>>>> some way to gather this understanding and stating it clearly.
> >>>>>>>>
> >>>>>>>> Based on your and Paulo's suggestions, I'll send this to the
> board.
> >>>>>>>> Does anyone else in the GIC wants to comment? Would the GIC like
> me to
> >>>>>>>> wait until your conference?
> >>>>>>>>
> >>>>>>>> OWASP being either a platform or a hierarchy, it should be able to
> >>>>>>>> make statements and recommendations.
> >>>>>>>>
> >>>>>>>> Regards,
> >>>>>>>>
> >>>>>>>> Lucas
> >>>>>>>>
> >>>>>>>> On Thu, Mar 24, 2011 at 13:37, Colin Watson <
> colin.watson at owasp.org> wrote:
> >>>>>>>>> Lucas
> >>>>>>>>>
> >>>>>>>>> Sorry, I misunderstood the purpose of the English-language
> version.
> >>>>>>>>> It is perfectly good as it is, for this process we are going
> through
> >>>>>>>>> now.
> >>>>>>>>>
> >>>>>>>>> Regarding "approval", I'm not sure the GIC has approved anything
> much
> >>>>>>>>> before.  I've tended to use "submitted on behalf of..." but with
> a
> >>>>>>>>> government I see you may want to have more gravitas.  Honestly, I
> >>>>>>>>> don't know if OWASP has (or desires) to have a mechanism, for
> >>>>>>>>> approval.  The nearest thing is the quality criteria for
> projects.
> >>>>>>>>>
> >>>>>>>>> Feel free to join in the next GIC conference call on 1 April or
> maybe
> >>>>>>>>> it's something you want the board's viewpoint on?
> >>>>>>>>>
> >>>>>>>>>  http://www.owasp.org/index.php/OWASP_Board_Meetings
> >>>>>>>>>
> >>>>>>>>> I guess it comes down to "is OWASP a hierarchy, or a platform?".
>  And
> >>>>>>>>> if it's a hierarchy, is the board at the top or the bottom?
> >>>>>>>>>
> >>>>>>>>> Colin
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> On 24 March 2011 12:41, Lucas Ferreira <lucas.ferreira at owasp.org>
> wrote:
> >>>>>>>>>> Hello Colin,
> >>>>>>>>>>
> >>>>>>>>>> thanks very much for your feedback.
> >>>>>>>>>>
> >>>>>>>>>> First I would like to say that my first intention was to produce
> a
> >>>>>>>>>> document in Portuguese, since its target is the Brazilian
> government.
> >>>>>>>>>> As a consequence, the English version is crappy. I produced it
> quickly
> >>>>>>>>>> using Google translator and adjusting the automatic translation.
> I was
> >>>>>>>>>> not planning to improve the translation beyond the point to make
> the
> >>>>>>>>>> document understandable by other OWASPers unless there is
> interest
> >>>>>>>>>> from other OWASP Chapters.
> >>>>>>>>>>
> >>>>>>>>>> My other comments are inline.
> >>>>>>>>>>
> >>>>>>>>>> On Thu, Mar 24, 2011 at 05:30, Colin Watson <
> colin.watson at owasp.org> wrote:
> >>>>>>>>>>> Lucas
> >>>>>>>>>>>
> >>>>>>>>>>> I read through the document last night and have a few comments
> about
> >>>>>>>>>>> the content.  It's really a very good document, with lots of
> ideas I
> >>>>>>>>>>> support, but who knows whether these are all OWASP's view (if
> it has
> >>>>>>>>>>> such a thing).  When you get to a near-final version, I'd be
> happy to
> >>>>>>>>>>> go through and check it against "UK English" if you like.
> >>>>>>>>>>>
> >>>>>>>>>>> 1) [Cover] It seems longer than a "letter", perhaps call it
> something
> >>>>>>>>>>> else?  Is "manifesto" better?
> >>>>>>>>>>
> >>>>>>>>>> You're right. I'll seek a better word for describing the
> document.
> >>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> 2) [p2] Do the CERT.br statistics relate to application
> security
> >>>>>>>>>>> attacks or not?  Is there any data?  Is anyone counting?
> >>>>>>>>>>
> >>>>>>>>>> No, they related to any kind of security incident in the
> Brazilian
> >>>>>>>>>> Internet space. I don't know of good statistics for app sec in
> Brazil,
> >>>>>>>>>> so I used the closest I could find that is reliable and
> published by a
> >>>>>>>>>> trusted entity.
> >>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> 3) [p4] Change title to just "OWASP" or "The OWASP" since
> P=project already
> >>>>>>>>>>
> >>>>>>>>>> As I said, I'll leave English corrections for a future
> "real"English
> >>>>>>>>>> version, if there is interest from other countries.
> >>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> 4) [p4] I think the number of active chapters is less than 180
> now -
> >>>>>>>>>>> Kate or Tom B have data on this.
> >>>>>>>>>>
> >>>>>>>>>> OK. I'll check the data.
> >>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> 5) [p4] Remove "project" from 4th paragraph, third word
> >>>>>>>>>>>
> >>>>>>>>>>> 6) [whole doc, but noticed on p5] The terms "network",
> "software" and
> >>>>>>>>>>> "internet" are maybe being used to mean similar things at times
> - for
> >>>>>>>>>>> clarity, which one/ones is this document about?
> >>>>>>>>>>>
> >>>>>>>>>>> 7) [p6] Would "baseline security requirements" be better than
> "minimum
> >>>>>>>>>>> security requirements"?
> >>>>>>>>>>
> >>>>>>>>>> Same as before about improving the document language.
> >>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> 8) [p9] You mention SSE-CMM and ASVS.... but would SAMM be more
> >>>>>>>>>>> comparable to SSE-CMM, and mention ASVS elsewhere?
> >>>>>>>>>>
> >>>>>>>>>> I would rather include all of them. Any framework that can be
> used for
> >>>>>>>>>> designing audits fits this item, as it is only a general
> >>>>>>>>>> recommendation.
> >>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> 9) [p13] Perhaps other things to mention are:
> >>>>>>>>>>>            - improve Brazil's reputation as a safe place to do
> online
> >>>>>>>>>>> and offline business
> >>>>>>>>>>>            - attract inward investment by software development
> companies
> >>>>>>>>>>>            - increased national resilience to cyber attacks
> >>>>>>>>>>
> >>>>>>>>>> These are great points. I'll get them into the document.
> >>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> 10) [p15] In contacts maybe have full details for one person as
> the
> >>>>>>>>>>> primary contact (e.g. yourself), but list the names and email
> >>>>>>>>>>> addresses of each Brazilian chapter leader
> >>>>>>>>>>
> >>>>>>>>>> Yes, good point. I was waiting to see how would OWASP embrace
> this
> >>>>>>>>>> iniciative before choosing contacts. I'll probably ask the
> Brazilian
> >>>>>>>>>> leaders for permission before putting their names on this
> document.
> >>>>>>>>>>
> >>>>>>>>>> Again, thanks a lot for your time. Do you think the industry
> committee
> >>>>>>>>>> could endorse this document? Should the board be involved?
> >>>>>>>>>>
> >>>>>>>>>> Lucas
> >>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> Regards
> >>>>>>>>>>>
> >>>>>>>>>>> Colin
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> On 21 March 2011 20:37, Lucas Ferreira <
> lucas.ferreira at owasp.org> wrote:
> >>>>>>>>>>>> Hello Industry Committee Members,
> >>>>>>>>>>>>
> >>>>>>>>>>>> Based on Dinis' keynote at IBWAS 2010, I wrote a white paper
> on how the
> >>>>>>>>>>>> Brazilian Government could improve web application security in
> the country.
> >>>>>>>>>>>> I'd like to be able to send this out as a message from OWASP
> and am trying
> >>>>>>>>>>>> to understand how this could be done. I think this could be a
> good
> >>>>>>>>>>>> introduction of OWASP to many government officials, as it
> contains
> >>>>>>>>>>>> prescriptive advice.
> >>>>>>>>>>>>
> >>>>>>>>>>>> So, I ask you to tell me what would be the best way to
> proceed.
> >>>>>>>>>>>>
> >>>>>>>>>>>> The original version (in Portuguese) is available here:
> >>>>>>>>>>>>
> https://docs.google.com/a/owasp.org/viewer?a=v&pid=explorer&chrome=true&srcid=0B80Pq13j4HaqYTJlYjYyMjQtZGIyZS00NGY2LTlmOTMtZDUyMDk5MzUzYmEx&hl=en&authkey=CIi7r5EP
> >>>>>>>>>>>>
> >>>>>>>>>>>> A Google translated version is here:
> >>>>>>>>>>>>
> https://docs.google.com/a/owasp.org/document/d/1pWNIlMvbl9DueibfrETIRZBj4qxKLjz6DgavTxnYNDQ/edit?hl=en&authkey=CNOWjaQL
> >>>>>>>>>>>>
> >>>>>>>>>>>> I will try to improve the translated version in the next days.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Thanks for your help,
> >>>>>>>>>>>>
> >>>>>>>>>>>> Lucas
> >>>>>>>>>>>>
> >>>>>>>>>>>> --
> >>>>>>>>>>>> Homo sapiens non urinat in ventum.
> >>>>>>>>>>>>
> >>>>>>>>>>>> _______________________________________________
> >>>>>>>>>>>> Global_industry_committee mailing list
> >>>>>>>>>>>> Global_industry_committee at lists.owasp.org
> >>>>>>>>>>>>
> https://lists.owasp.org/mailman/listinfo/global_industry_committee
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> --
> >>>>>>>>>> Homo sapiens non urinat in ventum.
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> --
> >>>>>> Homo sapiens non urinat in ventum.
> >>>>>> _______________________________________________
> >>>>>> Global_industry_committee mailing list
> >>>>>> Global_industry_committee at lists.owasp.org
> >>>>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
> >>>>>
> >>>>>
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> Homo sapiens non urinat in ventum.
> >>>> _______________________________________________
> >>>> Global_industry_committee mailing list
> >>>> Global_industry_committee at lists.owasp.org
> >>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
> >>>
> >>
> >>
> >>
> >> --
> >> Homo sapiens non urinat in ventum.
> >> _______________________________________________
> >> Global_industry_committee mailing list
> >> Global_industry_committee at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/global_industry_committee
> >>
> >
>
>
>
> --
> Homo sapiens non urinat in ventum.
> _______________________________________________
> Global_industry_committee mailing list
> Global_industry_committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>



-- 
OWASP Operational Support for Global Chapters, Conferences, and Industry
Committees

OWASP MSP: Host to OWASP AppSec USA 2011
September 20-23 Training, Talks, CTF, and Showroom
www.appsecusa.org
@appsecusa, @owaspmsp @OWASPSummit

Dir: 312-869-2779
skype: sarah.baso
sarah.baso at owasp.org <lorna.alamri at owasp.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global_industry_committee/attachments/20110420/c8e45dbe/attachment-0001.html 


More information about the Global_industry_committee mailing list