[Global_industry_committee] Interim lead of GIC

Eoin eoin.keary at owasp.org
Sat Jul 30 08:34:28 EDT 2011


Well can we do a quick call next week to energise the team!


 

On 30 Jul 2011, at 13:21, Colin Watson <colin.watson at owasp.org> wrote:

> Just bumping this one.
> 
> I was too busy to respond at the time, but will help if I can,
> 
> Colin
> 
> On 21/07/2011, Marco M. Morana <marco.m.morana at gmail.com> wrote:
>> I will put something together to look at this weekend. Perhaps we can set up
>> a conf call next week? I can set up one if you let me know date and time
>> that work x you
>> 
>> Cheers
>> Marco
>> 
>> Sent from my iPhone
>> 
>> On Jul 21, 2011, at 7:02 AM, Eoin <eoin.keary at owasp.org> wrote:
>> 
>>> this sounds like a Project?
>>> Marco, Colin fancy doing this together?
>>> I believe it would have real impact and high adoption if done properly.
>>> 
>>> 
>>> 
>>> On 21 July 2011 02:04, Marco M. Morana <marco.m.morana at gmail.com> wrote:
>>> Colin, Eoin
>>> 
>>> Regarding ideas, it would be nice if we could provide some quantitative
>>> risk
>>> management criteria for the OWASP T10, for example by qualifying the
>>> business impacts based upon the type of incident as result of exploit of a
>>> T10 and the cost of the incident. I wrote an article for a banking
>>> magazine
>>> (AziendaBanca) in Italian and I thought it would be nice to translate it
>>> and
>>> expand this in a context of a OWASP project.
>>> 
>>> The usefulness of such Business Impact Analysis project, from ISO (Info
>>> Sec
>>> Officer) perspective for example is that today, when confronting with a
>>> choice to invest in software/application security there is no quantitative
>>> criteria to decide how much we should spend and where. If I can quantify
>>> the
>>> costs in terms of business impact of an exploit of SQL injection
>>> vulnerability for example, for a site with millions of users and I can
>>> also
>>> provide some criteria to decide to how much to spend in software security
>>> measures and where to spend this will be very useful. Assuming the OWASP
>>> T10
>>> countermeasures are the choice for example is still not clear in which
>>> process, software security activity, tools/policy I should put my focus,
>>> this also include of course people/training.
>>> 
>>> A criteria that could produce this data, will also serve the purpose to
>>> make
>>> the business case for software security, for example when such spending is
>>> justifiable in terms of cost savings besides to remediate reactively
>>> vulnerabilities or incident that exploit them also by comparing improved
>>> efficiency e.g. fixing vulnerabilities early rather than late in the SDLC.
>>> 
>>> Regarding the survey, If I remember well, but not 100% sure, I think
>>> specific questions to profile the person responding the survey is missing
>>> or
>>> not mandatory I think that capturing the role and responsibility of who
>>> submits it, as being this a software developer, security consultant or
>>> security manager/CISO is of critical importance.
>>> 
>>> I think what is really important in a survey, is to try to get some data
>>> to
>>> really understand what drives software security adoption for organizations
>>> today, per different types of vertical. For example is it because of
>>> compliance? Is it because of an incident the company had? Who is driving
>>> it
>>> from organizational level? Which approach is used? Is it top down (ala
>>> Bill
>>> Gates memo) or is bottom up from operations. Is it driven by outside
>>> consulting services or by inside teams? I think also we should try to map
>>> the survey to the OWASP project offering. For example from the survey we
>>> could gather that certain industry sectors are less mature than others and
>>> that some software security processes are more adopted than others. Based
>>> upon this info we could better drive out focus in the areas that are less
>>> mature and need more dent from OWASP funding and projects.
>>> 
>>> Regards
>>> 
>>> Marco
>>> 
>>> 
>>> 
>>> 
>>> 
>>> -----Original Message-----
>>> From: global_industry_committee-bounces at lists.owasp.org
>>> [mailto:global_industry_committee-bounces at lists.owasp.org] On Behalf Of
>>> Colin Watson
>>> Sent: Wednesday, July 20, 2011 4:59 AM
>>> To: Eoin
>>> Cc: global_industry_committee at lists.owasp.org
>>> Subject: Re: [Global_industry_committee] Intrim lead of GIC
>>> 
>>> Marco - thanks for your contribution to this, but I'd like to
>>> reinforce Eoin's request.  The more knowledge you can shrea with us,
>>> the better.
>>> 
>>> Do we know if Joe is still a committee member, or did he just resign as
>>> chair?
>>> 
>>> Colin
>>> 
>>> On 20 July 2011 09:34, Eoin <eoin.keary at owasp.org> wrote:
>>>> Congrats Rex, can the GIC ask Kate to announce this to the leaders list?
>>>> Marco I believe we would still value your input as a rep for industry
>>> concerns, would it be possible to get a wish list from you and your peer
>>> group of issues owasp could help address?
>>>> Feedback on the industry survey would also be helpful.
>>>> Eoin
>>>> 
>>>> 
>>>> 
>>>> 
>>>> On 20 Jul 2011, at 01:37, Rex Booth <rex.booth at owasp.org> wrote:
>>>> 
>>>>> Marco,
>>>>> 
>>>>> Much obliged.  I'd greatly appreciate your support and insight assuming
>>>>> the rest of the committee agrees with this approach to the transition.
>>>>> 
>>>>> Thanks,
>>>>> Rex
>>>>> 
>>>>> On 7/19/2011 6:38 PM, Marco M. Morana wrote:
>>>>>> Rex
>>>>>> 
>>>>>> I will happy to have you step in as president  of GIC and support you
>>>>>> in
>>> the endeavor as vice. That make sense since you have already been elected
>>>>>> 
>>>>>> Regards
>>>>>> 
>>>>>> Marco
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> Sent from my iPhone
>>>>>> 
>>>>>> On Jul 19, 2011, at 4:13 PM, David Campbell<dcampbell at owasp.org>
>>>>>> wrote:
>>>>>> 
>>>>>>> Agreed. Rex was elected and had our support until Joe swept in :)
>>>>>>> 
>>>>>>> I support Rex for this role.
>>>>>>> 
>>>>>>> DC
>>>>>>> 
>>>>>>> 
>>>>>>> On 7/19/2011 13:10, Rex Booth wrote:
>>>>>>>> I'm interested in leading for a year (or as an interim).  For what
>>> it's
>>>>>>>> worth, I had been "elected" by the committee when I stepped aside
>>>>>>>> for
>>>>>>>> Joe to take over.  That said, I like Marco as well and certainly
>>>>>>>> wouldn't object to his leadership.
>>>>>>>> 
>>>>>>>> However, I don't agree that an industry guy needs to lead the
>>>>>>>> committee.  The fact that one works in industry makes one no more or
>>>>>>>> less able to lead our mission.  In fact, it may be the consultants
>>>>>>>> who
>>>>>>>> are used to interacting with a wide range of industry as clients who
>>> are
>>>>>>>> best able to execute our mission.
>>>>>>>> 
>>>>>>>> Rex
>>>>>>>> 
>>>>>>>> On 7/19/2011 1:34 PM, Eoin wrote:
>>>>>>>>> Thanks Colin, I am aware I am shooting from the hip here. I believe
>>> we need an industry rep to lead the gic and Marco is a great guy.
>>>>>>>>> To do gic lead shall take a fair bit of work. Also re membership of
>>> gic I don't believe that is a problem is we can find the correct
>>> replacement?
>>>>>>>>> Anyone else want to chime in?
>>>>>>>>> 
>>>>>>>>> Eoin
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> On 19 Jul 2011, at 17:59, Colin Watson<colin.watson at owasp.org>
>>> wrote:
>>>>>>>>> 
>>>>>>>>>> Eoin
>>>>>>>>>> 
>>>>>>>>>> That's sad to hear.  I guess Marco would need to become a
>>>>>>>>>> committee
>>>>>>>>>> member, but we should ask if anyone else on the committee is
>>>>>>>>>> interested too in this interim role... and this email is prompting
>>>>>>>>>> members to reply.  Yes, we could do without too big a gap - it was
>>>>>>>>>> a
>>>>>>>>>> problem at the start of the year.
>>>>>>>>>> 
>>>>>>>>>> Regards
>>>>>>>>>> 
>>>>>>>>>> Colin
>>>>>>>>>> 
>>>>>>>>>> On 19 July 2011 17:21, Eoin<eoin.keary at owasp.org>   wrote:
>>>>>>>>>>> Hello GIC,
>>>>>>>>>>> 
>>>>>>>>>>> I am sorry to say that Joe has resigned from the position of GIC
>>> leader.
>>>>>>>>>>> May I suggest we offer the position to Marco Morana who works in
>>> citi and
>>>>>>>>>>> represents industry?
>>>>>>>>>>> Thoughts please? as I'd like to offer him the position sooner
>>> rather than
>>>>>>>>>>> later.
>>>>>>>>>>> 
>>>>>>>>>>> I believe he is willing to take on the role until we elect a new
>>> leader with
>>>>>>>>>>> a suitable profile.
>>>>>>>>>>> Eoin
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> --
>>>>>>>>>>> Eoin Keary
>>>>>>>>>>> OWASP Global Board Member
>>>>>>>>>>> OWASP Code Review Guide Lead Author
>>>>>>>>>>> 
>>>>>>>>>>> https://twitter.com/EoinKeary
>>>>>>>>>>> http://twitter.com/BCCRiskAdvisory
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> Global_industry_committee mailing list
>>>>>>>>>>> Global_industry_committee at lists.owasp.org
>>>>>>>>>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>> _______________________________________________
>>>>>>>>> Global_industry_committee mailing list
>>>>>>>>> Global_industry_committee at lists.owasp.org
>>>>>>>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>>>>>>>> _______________________________________________
>>>>>>>> Global_industry_committee mailing list
>>>>>>>> Global_industry_committee at lists.owasp.org
>>>>>>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>>>>>>> _______________________________________________
>>>>>>> Global_industry_committee mailing list
>>>>>>> Global_industry_committee at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>>>>>> _______________________________________________
>>>>>> Global_industry_committee mailing list
>>>>>> Global_industry_committee at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>>>>> 
>>>>> _______________________________________________
>>>>> Global_industry_committee mailing list
>>>>> Global_industry_committee at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>>>> _______________________________________________
>>>> Global_industry_committee mailing list
>>>> Global_industry_committee at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>>>> 
>>> _______________________________________________
>>> Global_industry_committee mailing list
>>> Global_industry_committee at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>>> 
>>> 
>>> 
>>> 
>>> --
>>> Eoin Keary
>>> OWASP Global Board Member
>>> OWASP Code Review Guide Lead Author
>>> 
>>> https://twitter.com/EoinKeary
>>> http://twitter.com/BCCRiskAdvisory
>>> 
>>> 
>> 


More information about the Global_industry_committee mailing list