[Global_industry_committee] Interim lead of GIC

Marco M. Morana marco.m.morana at gmail.com
Thu Jul 21 08:46:24 EDT 2011


I will put something together to look at this weekend. Perhaps we can set up a conf call next week? I can set up one if you let me know date and time that work x you

Cheers
Marco

Sent from my iPhone

On Jul 21, 2011, at 7:02 AM, Eoin <eoin.keary at owasp.org> wrote:

> this sounds like a Project?
> Marco, Colin fancy doing this together?
> I believe it would have real impact and high adoption if done properly.
> 
> 
>  
> On 21 July 2011 02:04, Marco M. Morana <marco.m.morana at gmail.com> wrote:
> Colin, Eoin
> 
> Regarding ideas, it would be nice if we could provide some quantitative risk
> management criteria for the OWASP T10, for example by qualifying the
> business impacts based upon the type of incident as result of exploit of a
> T10 and the cost of the incident. I wrote an article for a banking magazine
> (AziendaBanca) in Italian and I thought it would be nice to translate it and
> expand this in a context of a OWASP project.
> 
> The usefulness of such Business Impact Analysis project, from ISO (Info Sec
> Officer) perspective for example is that today, when confronting with a
> choice to invest in software/application security there is no quantitative
> criteria to decide how much we should spend and where. If I can quantify the
> costs in terms of business impact of an exploit of SQL injection
> vulnerability for example, for a site with millions of users and I can also
> provide some criteria to decide to how much to spend in software security
> measures and where to spend this will be very useful. Assuming the OWASP T10
> countermeasures are the choice for example is still not clear in which
> process, software security activity, tools/policy I should put my focus,
> this also include of course people/training.
> 
> A criteria that could produce this data, will also serve the purpose to make
> the business case for software security, for example when such spending is
> justifiable in terms of cost savings besides to remediate reactively
> vulnerabilities or incident that exploit them also by comparing improved
> efficiency e.g. fixing vulnerabilities early rather than late in the SDLC.
> 
> Regarding the survey, If I remember well, but not 100% sure, I think
> specific questions to profile the person responding the survey is missing or
> not mandatory I think that capturing the role and responsibility of who
> submits it, as being this a software developer, security consultant or
> security manager/CISO is of critical importance.
> 
> I think what is really important in a survey, is to try to get some data to
> really understand what drives software security adoption for organizations
> today, per different types of vertical. For example is it because of
> compliance? Is it because of an incident the company had? Who is driving it
> from organizational level? Which approach is used? Is it top down (ala Bill
> Gates memo) or is bottom up from operations. Is it driven by outside
> consulting services or by inside teams? I think also we should try to map
> the survey to the OWASP project offering. For example from the survey we
> could gather that certain industry sectors are less mature than others and
> that some software security processes are more adopted than others. Based
> upon this info we could better drive out focus in the areas that are less
> mature and need more dent from OWASP funding and projects.
> 
> Regards
> 
> Marco
> 
> 
> 
> 
> 
> -----Original Message-----
> From: global_industry_committee-bounces at lists.owasp.org
> [mailto:global_industry_committee-bounces at lists.owasp.org] On Behalf Of
> Colin Watson
> Sent: Wednesday, July 20, 2011 4:59 AM
> To: Eoin
> Cc: global_industry_committee at lists.owasp.org
> Subject: Re: [Global_industry_committee] Intrim lead of GIC
> 
> Marco - thanks for your contribution to this, but I'd like to
> reinforce Eoin's request.  The more knowledge you can shrea with us,
> the better.
> 
> Do we know if Joe is still a committee member, or did he just resign as
> chair?
> 
> Colin
> 
> On 20 July 2011 09:34, Eoin <eoin.keary at owasp.org> wrote:
> > Congrats Rex, can the GIC ask Kate to announce this to the leaders list?
> > Marco I believe we would still value your input as a rep for industry
> concerns, would it be possible to get a wish list from you and your peer
> group of issues owasp could help address?
> > Feedback on the industry survey would also be helpful.
> > Eoin
> >
> >
> >
> >
> > On 20 Jul 2011, at 01:37, Rex Booth <rex.booth at owasp.org> wrote:
> >
> >> Marco,
> >>
> >> Much obliged.  I'd greatly appreciate your support and insight assuming
> >> the rest of the committee agrees with this approach to the transition.
> >>
> >> Thanks,
> >> Rex
> >>
> >> On 7/19/2011 6:38 PM, Marco M. Morana wrote:
> >>> Rex
> >>>
> >>> I will happy to have you step in as president  of GIC and support you in
> the endeavor as vice. That make sense since you have already been elected
> >>>
> >>> Regards
> >>>
> >>> Marco
> >>>
> >>>
> >>>
> >>>
> >>> Sent from my iPhone
> >>>
> >>> On Jul 19, 2011, at 4:13 PM, David Campbell<dcampbell at owasp.org>  wrote:
> >>>
> >>>> Agreed. Rex was elected and had our support until Joe swept in :)
> >>>>
> >>>> I support Rex for this role.
> >>>>
> >>>> DC
> >>>>
> >>>>
> >>>> On 7/19/2011 13:10, Rex Booth wrote:
> >>>>> I'm interested in leading for a year (or as an interim).  For what
> it's
> >>>>> worth, I had been "elected" by the committee when I stepped aside for
> >>>>> Joe to take over.  That said, I like Marco as well and certainly
> >>>>> wouldn't object to his leadership.
> >>>>>
> >>>>> However, I don't agree that an industry guy needs to lead the
> >>>>> committee.  The fact that one works in industry makes one no more or
> >>>>> less able to lead our mission.  In fact, it may be the consultants who
> >>>>> are used to interacting with a wide range of industry as clients who
> are
> >>>>> best able to execute our mission.
> >>>>>
> >>>>> Rex
> >>>>>
> >>>>> On 7/19/2011 1:34 PM, Eoin wrote:
> >>>>>> Thanks Colin, I am aware I am shooting from the hip here. I believe
> we need an industry rep to lead the gic and Marco is a great guy.
> >>>>>> To do gic lead shall take a fair bit of work. Also re membership of
> gic I don't believe that is a problem is we can find the correct
> replacement?
> >>>>>> Anyone else want to chime in?
> >>>>>>
> >>>>>> Eoin
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> On 19 Jul 2011, at 17:59, Colin Watson<colin.watson at owasp.org>
>  wrote:
> >>>>>>
> >>>>>>> Eoin
> >>>>>>>
> >>>>>>> That's sad to hear.  I guess Marco would need to become a committee
> >>>>>>> member, but we should ask if anyone else on the committee is
> >>>>>>> interested too in this interim role... and this email is prompting
> >>>>>>> members to reply.  Yes, we could do without too big a gap - it was a
> >>>>>>> problem at the start of the year.
> >>>>>>>
> >>>>>>> Regards
> >>>>>>>
> >>>>>>> Colin
> >>>>>>>
> >>>>>>> On 19 July 2011 17:21, Eoin<eoin.keary at owasp.org>   wrote:
> >>>>>>>> Hello GIC,
> >>>>>>>>
> >>>>>>>> I am sorry to say that Joe has resigned from the position of GIC
> leader.
> >>>>>>>> May I suggest we offer the position to Marco Morana who works in
> citi and
> >>>>>>>> represents industry?
> >>>>>>>> Thoughts please? as I'd like to offer him the position sooner
> rather than
> >>>>>>>> later.
> >>>>>>>>
> >>>>>>>> I believe he is willing to take on the role until we elect a new
> leader with
> >>>>>>>> a suitable profile.
> >>>>>>>> Eoin
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> --
> >>>>>>>> Eoin Keary
> >>>>>>>> OWASP Global Board Member
> >>>>>>>> OWASP Code Review Guide Lead Author
> >>>>>>>>
> >>>>>>>> https://twitter.com/EoinKeary
> >>>>>>>> http://twitter.com/BCCRiskAdvisory
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> _______________________________________________
> >>>>>>>> Global_industry_committee mailing list
> >>>>>>>> Global_industry_committee at lists.owasp.org
> >>>>>>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
> >>>>>>>>
> >>>>>>>>
> >>>>>> _______________________________________________
> >>>>>> Global_industry_committee mailing list
> >>>>>> Global_industry_committee at lists.owasp.org
> >>>>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
> >>>>> _______________________________________________
> >>>>> Global_industry_committee mailing list
> >>>>> Global_industry_committee at lists.owasp.org
> >>>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
> >>>> _______________________________________________
> >>>> Global_industry_committee mailing list
> >>>> Global_industry_committee at lists.owasp.org
> >>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
> >>> _______________________________________________
> >>> Global_industry_committee mailing list
> >>> Global_industry_committee at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
> >>
> >> _______________________________________________
> >> Global_industry_committee mailing list
> >> Global_industry_committee at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/global_industry_committee
> > _______________________________________________
> > Global_industry_committee mailing list
> > Global_industry_committee at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/global_industry_committee
> >
> _______________________________________________
> Global_industry_committee mailing list
> Global_industry_committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global_industry_committee
> 
> 
> 
> 
> -- 
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
> 
> https://twitter.com/EoinKeary
> http://twitter.com/BCCRiskAdvisory
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global_industry_committee/attachments/20110721/7e4ff33d/attachment-0001.html 


More information about the Global_industry_committee mailing list