[Global_industry_committee] An open letter to the Brazilian Government

Colin Watson colin.watson at owasp.org
Sat Apr 23 09:01:48 EDT 2011


Lucas

This is a really great document.  I have re-read it and don't have any
further suggestions.

Regards

Colin


On 20 April 2011 20:26, Sarah Baso <sarah.baso at owasp.org> wrote:
> Lucas -- this is great!  All GIC members have been advised to look over this
> document as we would like to make a committee decision on whether to
> endorse/stand behind this doc as you have requested.
>
> Thank you for the follow up and we will hopefully have an answer for you
> after our next meeting.
>
> Best Regards,
> Sarah Baso
>
> On Wed, Apr 20, 2011 at 1:17 PM, Lucas Ferreira <lucas.ferreira at owasp.org>
> wrote:
>>
>> Hello Colin and GIC members,
>>
>> I've sent the document to the Brazilian chapters mailing lists and got
>> some feedback about the document and its ideas. We now have compiled a
>> 1.0 version for the document including the suggestions and comments
>> sent to the Brazilian lists. This version was send today to the OWASP
>> Portuguese Language Project mailing list and has been published on the
>> OWASP wiki (in both https://www.owasp.org/index.php/Category:Brasil
>> and https://www.owasp.org/index.php/OWASP_Portuguese_Language_Project)
>>
>> The final document is directly downloadable from
>>
>> https://www.owasp.org/images/1/16/Seguranca_na_web_-_uma_janela_de_oportunidades.pdf
>>
>> I have also updated the rough translation with the new sessions that
>> were included because of the discussion on the Brazilian lists. The
>> translation is available here to anyone with an @owasp.org username:
>>
>> https://docs.google.com/a/owasp.org/document/d/1pWNIlMvbl9DueibfrETIRZBj4qxKLjz6DgavTxnYNDQ/edit?hl=en&authkey=CNOWjaQL
>>
>> Best regards,
>>
>> Lucas
>>
>> On Tue, Mar 29, 2011 at 12:26, Colin Watson <colin.watson at owasp.org>
>> wrote:
>> > Lucas
>> >
>> > Just to re-iterate one thing.... I think it is *very* important to
>> > have input/support from *all* the Brazilian local chapters, regardless
>> > of what happens to the document next.
>> >
>> > Colin
>> >
>> >
>> >
>> > On 29 March 2011 15:17, Lucas Ferreira <lucas.ferreira at owasp.org> wrote:
>> >> Sarah,
>> >>
>> >> The letter was written with the goal to send it to the Government and
>> >> try to influence government decisions as many NGOs do. In order to
>> >> achieve this goal, it needs to be a statement from OWASP, instead of
>> >> being just my own opinion. This is what NGOs such as WWF or Greenpeace
>> >> do all the time and is certainly part of their success
>> >>
>> >> (http://www.worldwildlife.org/what/howwedoit/policy/letterstestimonydocs.html).
>> >>
>> >> I wanted OWASP to be able to write letters to government officials
>> >> with statements such as "On behalf of World Wildlife Fund’s 1.2
>> >> million members..."
>> >>
>> >> (http://www.worldwildlife.org/what/howwedoit/policy/WWFBinaryitem7101.pdf).
>> >> This is much stronger than a letter from myself or my local chapter.
>> >> It is this kind of impact I am seeking.
>> >>
>> >> Unfortunately, in order to avoid bureaucracy, OWASP seems to have no
>> >> way to materialize the strength of congregating most of the world
>> >> AppSec experts. IMHO, we are loosing an opportunity to make a
>> >> difference.
>> >>
>> >> About what I want from the GIC: I thought that the GIC would be the
>> >> "natural" point of entry for my letter, since the goal is to interact
>> >> with a government. I really appreciate and have a deep respect for
>> >> Colin's advice, but he sent me his own opinion. As far as I
>> >> understand, Colin had no intention of speaking on behalf of the
>> >> Committee.
>> >>
>> >> What I really want is to know if I can go ahead and begin sending the
>> >> document. Or if I have to change it and make it a personal statement.
>> >> It would be great if the GIC could tell me "we're good with it, go
>> >> ahead" or "we're good with it, but you need Board's approval". Or just
>> >> tell me: "It's not our business", and I would go somewhere else.
>> >>
>> >> Thanks,
>> >>
>> >> Lucas
>> >>
>> >> On Tue, Mar 29, 2011 at 10:27, Sarah Baso <sarah.baso at owasp.org> wrote:
>> >>> Lucas,
>> >>>
>> >>> What else specifically are you looking for from the GIC? Colin gave
>> >>> you some feedback, and he is a member of the GIC...
>> >>>
>> >>> We can try to have someone else take on the task, but im not sure if
>> >>> you are just looking for more feedback?
>> >>>
>> >>> Thanks.
>> >>>
>> >>> Sarah Baso
>> >>>
>> >>> On Mar 29, 2011, at 8:15 AM, Lucas Ferreira <lucas.ferreira at owasp.org>
>> >>> wrote:
>> >>>
>> >>>> Hello Tom,
>> >>>>
>> >>>> OK, I'll assume that the committees can speak on matters related to
>> >>>> their missions.
>> >>>>
>> >>>> Going back to the document I wrote, what is your advice? Until now, I
>> >>>> only got some input from Colin and I still don't know if the GIC will
>> >>>> look at it. If there is no feedback on this, what should I do?
>> >>>> Proceed? Forget it? Ask the Board?
>> >>>>
>> >>>> Thanks,
>> >>>>
>> >>>> Lucas
>> >>>>
>> >>>> On Mon, Mar 28, 2011 at 22:36, Tom Brennan <tomb at owasp.org> wrote:
>> >>>>> Its really not that complicated Lucas.  What we want to avoid is the
>> >>>>> edge case as this adds to much bureaucracy to OWASP, I agree we need some
>> >>>>> but that is why we have Global Committee Chairs
>> >>>>> (committees-chairs at lists.owasp.org) as focus groups and the Board to help
>> >>>>> keep things on mission and purpose as well as the overall community.
>> >>>>>
>> >>>>> Empowerment does work if everyone has the same goals, understands
>> >>>>> that  purpose,  operates with values and ethics in mind see:
>> >>>>> http://www.owasp.org/index.php/About_OWASP
>> >>>>>
>> >>>>> Semper Fi,
>> >>>>>
>> >>>>> Tom Brennan
>> >>>>> Direct: 973-202-0122
>> >>>>> http://www.linkedin.com/in/tombrennan
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> On Mar 28, 2011, at 9:21 PM, Lucas Ferreira wrote:
>> >>>>>
>> >>>>>> Hello Mauro,
>> >>>>>>
>> >>>>>> I agree that each committee must be entitled to speak for itself.
>> >>>>>> But
>> >>>>>> can they speak on behalf of OWASP? How can we guarantee that
>> >>>>>> different
>> >>>>>> committees will not issue conflicting statements to the public at
>> >>>>>> large?
>> >>>>>>
>> >>>>>> Independent of this issue, will the GIC look at the document
>> >>>>>> itself?
>> >>>>>> May I expect to have a position from the GIC about the document?
>> >>>>>>
>> >>>>>> Thanks,
>> >>>>>>
>> >>>>>> Lucas
>> >>>>>>
>> >>>>>> On Mon, Mar 28, 2011 at 10:09, Mauro Flores
>> >>>>>> <mauro.flores at owasp.org> wrote:
>> >>>>>>> I agree with Lucas about to have an approval process for
>> >>>>>>> communications
>> >>>>>>> and I don't know if is a formal process defined in OWASP.
>> >>>>>>> I think that each committee is independent enough to speak on
>> >>>>>>> behalf of
>> >>>>>>> itself, if he has a previous internal voting. I mean, if we all
>> >>>>>>> vote to
>> >>>>>>> publish a letter or something like that in the name of the OWASP
>> >>>>>>> GIC, we
>> >>>>>>> should be able to do it.
>> >>>>>>>
>> >>>>>>> I also think that to have an unique OWASP voice on something
>> >>>>>>> should be a
>> >>>>>>> little more complex. If we want to say the this letter/publishing
>> >>>>>>> represents the ideas and values of all the OWASP organization...
>> >>>>>>> is
>> >>>>>>> complex. More than that, I also wonder if we need that...
>> >>>>>>> shouldn't be
>> >>>>>>> enough that a committee takes a position on a certain issue that
>> >>>>>>> involves its? Isn't enough for the companies the resolutions that
>> >>>>>>> the
>> >>>>>>> OWASP Committees takes? Do they need a higher approval??  I think
>> >>>>>>> not...
>> >>>>>>> just my thoughts.
>> >>>>>>>
>> >>>>>>> regards, Mauro Flores
>> >>>>>>>
>> >>>>>>> El jue, 24-03-2011 a las 18:12 -0300, Lucas Ferreira escribió:
>> >>>>>>>> Hello Colin,
>> >>>>>>>>
>> >>>>>>>> April 1st will be pretty busy for me, so I won't be able to join
>> >>>>>>>> the conf.
>> >>>>>>>>
>> >>>>>>>> IMHO, if OWASP wants to work with governments, it must have a
>> >>>>>>>> process
>> >>>>>>>> to allow someone to speak on behalf of the organization. That's
>> >>>>>>>> what I
>> >>>>>>>> need now. The point is not to have this specific document
>> >>>>>>>> approved,
>> >>>>>>>> but to bring the OWASP point of view to the government. The
>> >>>>>>>> rationale
>> >>>>>>>> for this is the same used by other orgs, such as WWF or
>> >>>>>>>> Greenpeace: to
>> >>>>>>>> gain strength. If something is the point of view of OWASP, it can
>> >>>>>>>> get
>> >>>>>>>> more attention than my own PoV, or my chapter's PoV. If we share
>> >>>>>>>> a
>> >>>>>>>> common understanding of how things should be done, we need to
>> >>>>>>>> have
>> >>>>>>>> some way to gather this understanding and stating it clearly.
>> >>>>>>>>
>> >>>>>>>> Based on your and Paulo's suggestions, I'll send this to the
>> >>>>>>>> board.
>> >>>>>>>> Does anyone else in the GIC wants to comment? Would the GIC like
>> >>>>>>>> me to
>> >>>>>>>> wait until your conference?
>> >>>>>>>>
>> >>>>>>>> OWASP being either a platform or a hierarchy, it should be able
>> >>>>>>>> to
>> >>>>>>>> make statements and recommendations.
>> >>>>>>>>
>> >>>>>>>> Regards,
>> >>>>>>>>
>> >>>>>>>> Lucas
>> >>>>>>>>
>> >>>>>>>> On Thu, Mar 24, 2011 at 13:37, Colin Watson
>> >>>>>>>> <colin.watson at owasp.org> wrote:
>> >>>>>>>>> Lucas
>> >>>>>>>>>
>> >>>>>>>>> Sorry, I misunderstood the purpose of the English-language
>> >>>>>>>>> version.
>> >>>>>>>>> It is perfectly good as it is, for this process we are going
>> >>>>>>>>> through
>> >>>>>>>>> now.
>> >>>>>>>>>
>> >>>>>>>>> Regarding "approval", I'm not sure the GIC has approved anything
>> >>>>>>>>> much
>> >>>>>>>>> before.  I've tended to use "submitted on behalf of..." but with
>> >>>>>>>>> a
>> >>>>>>>>> government I see you may want to have more gravitas.  Honestly,
>> >>>>>>>>> I
>> >>>>>>>>> don't know if OWASP has (or desires) to have a mechanism, for
>> >>>>>>>>> approval.  The nearest thing is the quality criteria for
>> >>>>>>>>> projects.
>> >>>>>>>>>
>> >>>>>>>>> Feel free to join in the next GIC conference call on 1 April or
>> >>>>>>>>> maybe
>> >>>>>>>>> it's something you want the board's viewpoint on?
>> >>>>>>>>>
>> >>>>>>>>>  http://www.owasp.org/index.php/OWASP_Board_Meetings
>> >>>>>>>>>
>> >>>>>>>>> I guess it comes down to "is OWASP a hierarchy, or a platform?".
>> >>>>>>>>>  And
>> >>>>>>>>> if it's a hierarchy, is the board at the top or the bottom?
>> >>>>>>>>>
>> >>>>>>>>> Colin
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>> On 24 March 2011 12:41, Lucas Ferreira
>> >>>>>>>>> <lucas.ferreira at owasp.org> wrote:
>> >>>>>>>>>> Hello Colin,
>> >>>>>>>>>>
>> >>>>>>>>>> thanks very much for your feedback.
>> >>>>>>>>>>
>> >>>>>>>>>> First I would like to say that my first intention was to
>> >>>>>>>>>> produce a
>> >>>>>>>>>> document in Portuguese, since its target is the Brazilian
>> >>>>>>>>>> government.
>> >>>>>>>>>> As a consequence, the English version is crappy. I produced it
>> >>>>>>>>>> quickly
>> >>>>>>>>>> using Google translator and adjusting the automatic
>> >>>>>>>>>> translation. I was
>> >>>>>>>>>> not planning to improve the translation beyond the point to
>> >>>>>>>>>> make the
>> >>>>>>>>>> document understandable by other OWASPers unless there is
>> >>>>>>>>>> interest
>> >>>>>>>>>> from other OWASP Chapters.
>> >>>>>>>>>>
>> >>>>>>>>>> My other comments are inline.
>> >>>>>>>>>>
>> >>>>>>>>>> On Thu, Mar 24, 2011 at 05:30, Colin Watson
>> >>>>>>>>>> <colin.watson at owasp.org> wrote:
>> >>>>>>>>>>> Lucas
>> >>>>>>>>>>>
>> >>>>>>>>>>> I read through the document last night and have a few comments
>> >>>>>>>>>>> about
>> >>>>>>>>>>> the content.  It's really a very good document, with lots of
>> >>>>>>>>>>> ideas I
>> >>>>>>>>>>> support, but who knows whether these are all OWASP's view (if
>> >>>>>>>>>>> it has
>> >>>>>>>>>>> such a thing).  When you get to a near-final version, I'd be
>> >>>>>>>>>>> happy to
>> >>>>>>>>>>> go through and check it against "UK English" if you like.
>> >>>>>>>>>>>
>> >>>>>>>>>>> 1) [Cover] It seems longer than a "letter", perhaps call it
>> >>>>>>>>>>> something
>> >>>>>>>>>>> else?  Is "manifesto" better?
>> >>>>>>>>>>
>> >>>>>>>>>> You're right. I'll seek a better word for describing the
>> >>>>>>>>>> document.
>> >>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>> 2) [p2] Do the CERT.br statistics relate to application
>> >>>>>>>>>>> security
>> >>>>>>>>>>> attacks or not?  Is there any data?  Is anyone counting?
>> >>>>>>>>>>
>> >>>>>>>>>> No, they related to any kind of security incident in the
>> >>>>>>>>>> Brazilian
>> >>>>>>>>>> Internet space. I don't know of good statistics for app sec in
>> >>>>>>>>>> Brazil,
>> >>>>>>>>>> so I used the closest I could find that is reliable and
>> >>>>>>>>>> published by a
>> >>>>>>>>>> trusted entity.
>> >>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>> 3) [p4] Change title to just "OWASP" or "The OWASP" since
>> >>>>>>>>>>> P=project already
>> >>>>>>>>>>
>> >>>>>>>>>> As I said, I'll leave English corrections for a future
>> >>>>>>>>>> "real"English
>> >>>>>>>>>> version, if there is interest from other countries.
>> >>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>> 4) [p4] I think the number of active chapters is less than 180
>> >>>>>>>>>>> now -
>> >>>>>>>>>>> Kate or Tom B have data on this.
>> >>>>>>>>>>
>> >>>>>>>>>> OK. I'll check the data.
>> >>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>> 5) [p4] Remove "project" from 4th paragraph, third word
>> >>>>>>>>>>>
>> >>>>>>>>>>> 6) [whole doc, but noticed on p5] The terms "network",
>> >>>>>>>>>>> "software" and
>> >>>>>>>>>>> "internet" are maybe being used to mean similar things at
>> >>>>>>>>>>> times - for
>> >>>>>>>>>>> clarity, which one/ones is this document about?
>> >>>>>>>>>>>
>> >>>>>>>>>>> 7) [p6] Would "baseline security requirements" be better than
>> >>>>>>>>>>> "minimum
>> >>>>>>>>>>> security requirements"?
>> >>>>>>>>>>
>> >>>>>>>>>> Same as before about improving the document language.
>> >>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>> 8) [p9] You mention SSE-CMM and ASVS.... but would SAMM be
>> >>>>>>>>>>> more
>> >>>>>>>>>>> comparable to SSE-CMM, and mention ASVS elsewhere?
>> >>>>>>>>>>
>> >>>>>>>>>> I would rather include all of them. Any framework that can be
>> >>>>>>>>>> used for
>> >>>>>>>>>> designing audits fits this item, as it is only a general
>> >>>>>>>>>> recommendation.
>> >>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>> 9) [p13] Perhaps other things to mention are:
>> >>>>>>>>>>>            - improve Brazil's reputation as a safe place to do
>> >>>>>>>>>>> online
>> >>>>>>>>>>> and offline business
>> >>>>>>>>>>>            - attract inward investment by software development
>> >>>>>>>>>>> companies
>> >>>>>>>>>>>            - increased national resilience to cyber attacks
>> >>>>>>>>>>
>> >>>>>>>>>> These are great points. I'll get them into the document.
>> >>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>> 10) [p15] In contacts maybe have full details for one person
>> >>>>>>>>>>> as the
>> >>>>>>>>>>> primary contact (e.g. yourself), but list the names and email
>> >>>>>>>>>>> addresses of each Brazilian chapter leader
>> >>>>>>>>>>
>> >>>>>>>>>> Yes, good point. I was waiting to see how would OWASP embrace
>> >>>>>>>>>> this
>> >>>>>>>>>> iniciative before choosing contacts. I'll probably ask the
>> >>>>>>>>>> Brazilian
>> >>>>>>>>>> leaders for permission before putting their names on this
>> >>>>>>>>>> document.
>> >>>>>>>>>>
>> >>>>>>>>>> Again, thanks a lot for your time. Do you think the industry
>> >>>>>>>>>> committee
>> >>>>>>>>>> could endorse this document? Should the board be involved?
>> >>>>>>>>>>
>> >>>>>>>>>> Lucas
>> >>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>> Regards
>> >>>>>>>>>>>
>> >>>>>>>>>>> Colin
>> >>>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>> On 21 March 2011 20:37, Lucas Ferreira
>> >>>>>>>>>>> <lucas.ferreira at owasp.org> wrote:
>> >>>>>>>>>>>> Hello Industry Committee Members,
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> Based on Dinis' keynote at IBWAS 2010, I wrote a white paper
>> >>>>>>>>>>>> on how the
>> >>>>>>>>>>>> Brazilian Government could improve web application security
>> >>>>>>>>>>>> in the country.
>> >>>>>>>>>>>> I'd like to be able to send this out as a message from OWASP
>> >>>>>>>>>>>> and am trying
>> >>>>>>>>>>>> to understand how this could be done. I think this could be a
>> >>>>>>>>>>>> good
>> >>>>>>>>>>>> introduction of OWASP to many government officials, as it
>> >>>>>>>>>>>> contains
>> >>>>>>>>>>>> prescriptive advice.
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> So, I ask you to tell me what would be the best way to
>> >>>>>>>>>>>> proceed.
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> The original version (in Portuguese) is available here:
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> https://docs.google.com/a/owasp.org/viewer?a=v&pid=explorer&chrome=true&srcid=0B80Pq13j4HaqYTJlYjYyMjQtZGIyZS00NGY2LTlmOTMtZDUyMDk5MzUzYmEx&hl=en&authkey=CIi7r5EP
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> A Google translated version is here:
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> https://docs.google.com/a/owasp.org/document/d/1pWNIlMvbl9DueibfrETIRZBj4qxKLjz6DgavTxnYNDQ/edit?hl=en&authkey=CNOWjaQL
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> I will try to improve the translated version in the next
>> >>>>>>>>>>>> days.
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> Thanks for your help,
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> Lucas
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> --
>> >>>>>>>>>>>> Homo sapiens non urinat in ventum.
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> _______________________________________________
>> >>>>>>>>>>>> Global_industry_committee mailing list
>> >>>>>>>>>>>> Global_industry_committee at lists.owasp.org
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>> --
>> >>>>>>>>>> Homo sapiens non urinat in ventum.
>> >>>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>> --
>> >>>>>> Homo sapiens non urinat in ventum.
>> >>>>>> _______________________________________________
>> >>>>>> Global_industry_committee mailing list
>> >>>>>> Global_industry_committee at lists.owasp.org
>> >>>>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>> >>>>>
>> >>>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> --
>> >>>> Homo sapiens non urinat in ventum.
>> >>>> _______________________________________________
>> >>>> Global_industry_committee mailing list
>> >>>> Global_industry_committee at lists.owasp.org
>> >>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>> >>>
>> >>
>> >>
>> >>
>> >> --
>> >> Homo sapiens non urinat in ventum.
>> >> _______________________________________________
>> >> Global_industry_committee mailing list
>> >> Global_industry_committee at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>> >>
>> >
>>
>>
>>
>> --
>> Homo sapiens non urinat in ventum.
>> _______________________________________________
>> Global_industry_committee mailing list
>> Global_industry_committee at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>
>
>
> --
> OWASP Operational Support for Global Chapters, Conferences, and Industry
> Committees
>
> OWASP MSP: Host to OWASP AppSec USA 2011
> September 20-23 Training, Talks, CTF, and Showroom
> www.appsecusa.org
> @appsecusa, @owaspmsp @OWASPSummit
>
> Dir: 312-869-2779
> skype: sarah.baso
> sarah.baso at owasp.org
>


More information about the Global_industry_committee mailing list