[Global_industry_committee] Interim lead of GIC

Marco M. Morana marco.m.morana at gmail.com
Wed Jul 20 21:04:26 EDT 2011


Colin, Eoin

Regarding ideas, it would be nice if we could provide some quantitative risk
management criteria for the OWASP T10, for example by qualifying the
business impacts based upon the type of incident as result of exploit of a
T10 and the cost of the incident. I wrote an article for a banking magazine
(AziendaBanca) in Italian and I thought it would be nice to translate it and
expand this in a context of a OWASP project.

The usefulness of such Business Impact Analysis project, from ISO (Info Sec
Officer) perspective for example is that today, when confronting with a
choice to invest in software/application security there is no quantitative
criteria to decide how much we should spend and where. If I can quantify the
costs in terms of business impact of an exploit of SQL injection
vulnerability for example, for a site with millions of users and I can also
provide some criteria to decide to how much to spend in software security
measures and where to spend this will be very useful. Assuming the OWASP T10
countermeasures are the choice for example is still not clear in which
process, software security activity, tools/policy I should put my focus,
this also include of course people/training.

A criteria that could produce this data, will also serve the purpose to make
the business case for software security, for example when such spending is
justifiable in terms of cost savings besides to remediate reactively
vulnerabilities or incident that exploit them also by comparing improved
efficiency e.g. fixing vulnerabilities early rather than late in the SDLC.

Regarding the survey, If I remember well, but not 100% sure, I think
specific questions to profile the person responding the survey is missing or
not mandatory I think that capturing the role and responsibility of who
submits it, as being this a software developer, security consultant or
security manager/CISO is of critical importance.

I think what is really important in a survey, is to try to get some data to
really understand what drives software security adoption for organizations
today, per different types of vertical. For example is it because of
compliance? Is it because of an incident the company had? Who is driving it
from organizational level? Which approach is used? Is it top down (ala Bill
Gates memo) or is bottom up from operations. Is it driven by outside
consulting services or by inside teams? I think also we should try to map
the survey to the OWASP project offering. For example from the survey we
could gather that certain industry sectors are less mature than others and
that some software security processes are more adopted than others. Based
upon this info we could better drive out focus in the areas that are less
mature and need more dent from OWASP funding and projects.

Regards

Marco





-----Original Message-----
From: global_industry_committee-bounces at lists.owasp.org
[mailto:global_industry_committee-bounces at lists.owasp.org] On Behalf Of
Colin Watson
Sent: Wednesday, July 20, 2011 4:59 AM
To: Eoin
Cc: global_industry_committee at lists.owasp.org
Subject: Re: [Global_industry_committee] Intrim lead of GIC

Marco - thanks for your contribution to this, but I'd like to
reinforce Eoin's request.  The more knowledge you can shrea with us,
the better.

Do we know if Joe is still a committee member, or did he just resign as
chair?

Colin

On 20 July 2011 09:34, Eoin <eoin.keary at owasp.org> wrote:
> Congrats Rex, can the GIC ask Kate to announce this to the leaders list?
> Marco I believe we would still value your input as a rep for industry
concerns, would it be possible to get a wish list from you and your peer
group of issues owasp could help address?
> Feedback on the industry survey would also be helpful.
> Eoin
>
>
>
>
> On 20 Jul 2011, at 01:37, Rex Booth <rex.booth at owasp.org> wrote:
>
>> Marco,
>>
>> Much obliged.  I'd greatly appreciate your support and insight assuming
>> the rest of the committee agrees with this approach to the transition.
>>
>> Thanks,
>> Rex
>>
>> On 7/19/2011 6:38 PM, Marco M. Morana wrote:
>>> Rex
>>>
>>> I will happy to have you step in as president  of GIC and support you in
the endeavor as vice. That make sense since you have already been elected
>>>
>>> Regards
>>>
>>> Marco
>>>
>>>
>>>
>>>
>>> Sent from my iPhone
>>>
>>> On Jul 19, 2011, at 4:13 PM, David Campbell<dcampbell at owasp.org>  wrote:
>>>
>>>> Agreed. Rex was elected and had our support until Joe swept in :)
>>>>
>>>> I support Rex for this role.
>>>>
>>>> DC
>>>>
>>>>
>>>> On 7/19/2011 13:10, Rex Booth wrote:
>>>>> I'm interested in leading for a year (or as an interim).  For what
it's
>>>>> worth, I had been "elected" by the committee when I stepped aside for
>>>>> Joe to take over.  That said, I like Marco as well and certainly
>>>>> wouldn't object to his leadership.
>>>>>
>>>>> However, I don't agree that an industry guy needs to lead the
>>>>> committee.  The fact that one works in industry makes one no more or
>>>>> less able to lead our mission.  In fact, it may be the consultants who
>>>>> are used to interacting with a wide range of industry as clients who
are
>>>>> best able to execute our mission.
>>>>>
>>>>> Rex
>>>>>
>>>>> On 7/19/2011 1:34 PM, Eoin wrote:
>>>>>> Thanks Colin, I am aware I am shooting from the hip here. I believe
we need an industry rep to lead the gic and Marco is a great guy.
>>>>>> To do gic lead shall take a fair bit of work. Also re membership of
gic I don't believe that is a problem is we can find the correct
replacement?
>>>>>> Anyone else want to chime in?
>>>>>>
>>>>>> Eoin
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 19 Jul 2011, at 17:59, Colin Watson<colin.watson at owasp.org>
 wrote:
>>>>>>
>>>>>>> Eoin
>>>>>>>
>>>>>>> That's sad to hear.  I guess Marco would need to become a committee
>>>>>>> member, but we should ask if anyone else on the committee is
>>>>>>> interested too in this interim role... and this email is prompting
>>>>>>> members to reply.  Yes, we could do without too big a gap - it was a
>>>>>>> problem at the start of the year.
>>>>>>>
>>>>>>> Regards
>>>>>>>
>>>>>>> Colin
>>>>>>>
>>>>>>> On 19 July 2011 17:21, Eoin<eoin.keary at owasp.org>   wrote:
>>>>>>>> Hello GIC,
>>>>>>>>
>>>>>>>> I am sorry to say that Joe has resigned from the position of GIC
leader.
>>>>>>>> May I suggest we offer the position to Marco Morana who works in
citi and
>>>>>>>> represents industry?
>>>>>>>> Thoughts please? as I'd like to offer him the position sooner
rather than
>>>>>>>> later.
>>>>>>>>
>>>>>>>> I believe he is willing to take on the role until we elect a new
leader with
>>>>>>>> a suitable profile.
>>>>>>>> Eoin
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Eoin Keary
>>>>>>>> OWASP Global Board Member
>>>>>>>> OWASP Code Review Guide Lead Author
>>>>>>>>
>>>>>>>> https://twitter.com/EoinKeary
>>>>>>>> http://twitter.com/BCCRiskAdvisory
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Global_industry_committee mailing list
>>>>>>>> Global_industry_committee at lists.owasp.org
>>>>>>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>>>>>>>>
>>>>>>>>
>>>>>> _______________________________________________
>>>>>> Global_industry_committee mailing list
>>>>>> Global_industry_committee at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>>>>> _______________________________________________
>>>>> Global_industry_committee mailing list
>>>>> Global_industry_committee at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>>>> _______________________________________________
>>>> Global_industry_committee mailing list
>>>> Global_industry_committee at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>>> _______________________________________________
>>> Global_industry_committee mailing list
>>> Global_industry_committee at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>>
>> _______________________________________________
>> Global_industry_committee mailing list
>> Global_industry_committee at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
> _______________________________________________
> Global_industry_committee mailing list
> Global_industry_committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>
_______________________________________________
Global_industry_committee mailing list
Global_industry_committee at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/global_industry_committee



More information about the Global_industry_committee mailing list