[Global_industry_committee] Interim lead of GIC

Colin Watson colin.watson at owasp.org
Sat Jul 30 08:21:56 EDT 2011


Just bumping this one.

I was too busy to respond at the time, but will help if I can,

Colin

On 21/07/2011, Marco M. Morana <marco.m.morana at gmail.com> wrote:
> I will put something together to look at this weekend. Perhaps we can set up
> a conf call next week? I can set up one if you let me know date and time
> that work x you
>
> Cheers
> Marco
>
> Sent from my iPhone
>
> On Jul 21, 2011, at 7:02 AM, Eoin <eoin.keary at owasp.org> wrote:
>
>> this sounds like a Project?
>> Marco, Colin fancy doing this together?
>> I believe it would have real impact and high adoption if done properly.
>>
>>
>>
>> On 21 July 2011 02:04, Marco M. Morana <marco.m.morana at gmail.com> wrote:
>> Colin, Eoin
>>
>> Regarding ideas, it would be nice if we could provide some quantitative
>> risk
>> management criteria for the OWASP T10, for example by qualifying the
>> business impacts based upon the type of incident as result of exploit of a
>> T10 and the cost of the incident. I wrote an article for a banking
>> magazine
>> (AziendaBanca) in Italian and I thought it would be nice to translate it
>> and
>> expand this in a context of a OWASP project.
>>
>> The usefulness of such Business Impact Analysis project, from ISO (Info
>> Sec
>> Officer) perspective for example is that today, when confronting with a
>> choice to invest in software/application security there is no quantitative
>> criteria to decide how much we should spend and where. If I can quantify
>> the
>> costs in terms of business impact of an exploit of SQL injection
>> vulnerability for example, for a site with millions of users and I can
>> also
>> provide some criteria to decide to how much to spend in software security
>> measures and where to spend this will be very useful. Assuming the OWASP
>> T10
>> countermeasures are the choice for example is still not clear in which
>> process, software security activity, tools/policy I should put my focus,
>> this also include of course people/training.
>>
>> A criteria that could produce this data, will also serve the purpose to
>> make
>> the business case for software security, for example when such spending is
>> justifiable in terms of cost savings besides to remediate reactively
>> vulnerabilities or incident that exploit them also by comparing improved
>> efficiency e.g. fixing vulnerabilities early rather than late in the SDLC.
>>
>> Regarding the survey, If I remember well, but not 100% sure, I think
>> specific questions to profile the person responding the survey is missing
>> or
>> not mandatory I think that capturing the role and responsibility of who
>> submits it, as being this a software developer, security consultant or
>> security manager/CISO is of critical importance.
>>
>> I think what is really important in a survey, is to try to get some data
>> to
>> really understand what drives software security adoption for organizations
>> today, per different types of vertical. For example is it because of
>> compliance? Is it because of an incident the company had? Who is driving
>> it
>> from organizational level? Which approach is used? Is it top down (ala
>> Bill
>> Gates memo) or is bottom up from operations. Is it driven by outside
>> consulting services or by inside teams? I think also we should try to map
>> the survey to the OWASP project offering. For example from the survey we
>> could gather that certain industry sectors are less mature than others and
>> that some software security processes are more adopted than others. Based
>> upon this info we could better drive out focus in the areas that are less
>> mature and need more dent from OWASP funding and projects.
>>
>> Regards
>>
>> Marco
>>
>>
>>
>>
>>
>> -----Original Message-----
>> From: global_industry_committee-bounces at lists.owasp.org
>> [mailto:global_industry_committee-bounces at lists.owasp.org] On Behalf Of
>> Colin Watson
>> Sent: Wednesday, July 20, 2011 4:59 AM
>> To: Eoin
>> Cc: global_industry_committee at lists.owasp.org
>> Subject: Re: [Global_industry_committee] Intrim lead of GIC
>>
>> Marco - thanks for your contribution to this, but I'd like to
>> reinforce Eoin's request.  The more knowledge you can shrea with us,
>> the better.
>>
>> Do we know if Joe is still a committee member, or did he just resign as
>> chair?
>>
>> Colin
>>
>> On 20 July 2011 09:34, Eoin <eoin.keary at owasp.org> wrote:
>> > Congrats Rex, can the GIC ask Kate to announce this to the leaders list?
>> > Marco I believe we would still value your input as a rep for industry
>> concerns, would it be possible to get a wish list from you and your peer
>> group of issues owasp could help address?
>> > Feedback on the industry survey would also be helpful.
>> > Eoin
>> >
>> >
>> >
>> >
>> > On 20 Jul 2011, at 01:37, Rex Booth <rex.booth at owasp.org> wrote:
>> >
>> >> Marco,
>> >>
>> >> Much obliged.  I'd greatly appreciate your support and insight assuming
>> >> the rest of the committee agrees with this approach to the transition.
>> >>
>> >> Thanks,
>> >> Rex
>> >>
>> >> On 7/19/2011 6:38 PM, Marco M. Morana wrote:
>> >>> Rex
>> >>>
>> >>> I will happy to have you step in as president  of GIC and support you
>> >>> in
>> the endeavor as vice. That make sense since you have already been elected
>> >>>
>> >>> Regards
>> >>>
>> >>> Marco
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> Sent from my iPhone
>> >>>
>> >>> On Jul 19, 2011, at 4:13 PM, David Campbell<dcampbell at owasp.org>
>> >>> wrote:
>> >>>
>> >>>> Agreed. Rex was elected and had our support until Joe swept in :)
>> >>>>
>> >>>> I support Rex for this role.
>> >>>>
>> >>>> DC
>> >>>>
>> >>>>
>> >>>> On 7/19/2011 13:10, Rex Booth wrote:
>> >>>>> I'm interested in leading for a year (or as an interim).  For what
>> it's
>> >>>>> worth, I had been "elected" by the committee when I stepped aside
>> >>>>> for
>> >>>>> Joe to take over.  That said, I like Marco as well and certainly
>> >>>>> wouldn't object to his leadership.
>> >>>>>
>> >>>>> However, I don't agree that an industry guy needs to lead the
>> >>>>> committee.  The fact that one works in industry makes one no more or
>> >>>>> less able to lead our mission.  In fact, it may be the consultants
>> >>>>> who
>> >>>>> are used to interacting with a wide range of industry as clients who
>> are
>> >>>>> best able to execute our mission.
>> >>>>>
>> >>>>> Rex
>> >>>>>
>> >>>>> On 7/19/2011 1:34 PM, Eoin wrote:
>> >>>>>> Thanks Colin, I am aware I am shooting from the hip here. I believe
>> we need an industry rep to lead the gic and Marco is a great guy.
>> >>>>>> To do gic lead shall take a fair bit of work. Also re membership of
>> gic I don't believe that is a problem is we can find the correct
>> replacement?
>> >>>>>> Anyone else want to chime in?
>> >>>>>>
>> >>>>>> Eoin
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>> On 19 Jul 2011, at 17:59, Colin Watson<colin.watson at owasp.org>
>>  wrote:
>> >>>>>>
>> >>>>>>> Eoin
>> >>>>>>>
>> >>>>>>> That's sad to hear.  I guess Marco would need to become a
>> >>>>>>> committee
>> >>>>>>> member, but we should ask if anyone else on the committee is
>> >>>>>>> interested too in this interim role... and this email is prompting
>> >>>>>>> members to reply.  Yes, we could do without too big a gap - it was
>> >>>>>>> a
>> >>>>>>> problem at the start of the year.
>> >>>>>>>
>> >>>>>>> Regards
>> >>>>>>>
>> >>>>>>> Colin
>> >>>>>>>
>> >>>>>>> On 19 July 2011 17:21, Eoin<eoin.keary at owasp.org>   wrote:
>> >>>>>>>> Hello GIC,
>> >>>>>>>>
>> >>>>>>>> I am sorry to say that Joe has resigned from the position of GIC
>> leader.
>> >>>>>>>> May I suggest we offer the position to Marco Morana who works in
>> citi and
>> >>>>>>>> represents industry?
>> >>>>>>>> Thoughts please? as I'd like to offer him the position sooner
>> rather than
>> >>>>>>>> later.
>> >>>>>>>>
>> >>>>>>>> I believe he is willing to take on the role until we elect a new
>> leader with
>> >>>>>>>> a suitable profile.
>> >>>>>>>> Eoin
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> --
>> >>>>>>>> Eoin Keary
>> >>>>>>>> OWASP Global Board Member
>> >>>>>>>> OWASP Code Review Guide Lead Author
>> >>>>>>>>
>> >>>>>>>> https://twitter.com/EoinKeary
>> >>>>>>>> http://twitter.com/BCCRiskAdvisory
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> _______________________________________________
>> >>>>>>>> Global_industry_committee mailing list
>> >>>>>>>> Global_industry_committee at lists.owasp.org
>> >>>>>>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>> _______________________________________________
>> >>>>>> Global_industry_committee mailing list
>> >>>>>> Global_industry_committee at lists.owasp.org
>> >>>>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>> >>>>> _______________________________________________
>> >>>>> Global_industry_committee mailing list
>> >>>>> Global_industry_committee at lists.owasp.org
>> >>>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>> >>>> _______________________________________________
>> >>>> Global_industry_committee mailing list
>> >>>> Global_industry_committee at lists.owasp.org
>> >>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>> >>> _______________________________________________
>> >>> Global_industry_committee mailing list
>> >>> Global_industry_committee at lists.owasp.org
>> >>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>> >>
>> >> _______________________________________________
>> >> Global_industry_committee mailing list
>> >> Global_industry_committee at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>> > _______________________________________________
>> > Global_industry_committee mailing list
>> > Global_industry_committee at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/global_industry_committee
>> >
>> _______________________________________________
>> Global_industry_committee mailing list
>> Global_industry_committee at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>>
>>
>>
>>
>> --
>> Eoin Keary
>> OWASP Global Board Member
>> OWASP Code Review Guide Lead Author
>>
>> https://twitter.com/EoinKeary
>> http://twitter.com/BCCRiskAdvisory
>>
>>
>


More information about the Global_industry_committee mailing list