[Global_industry_committee] Interim lead of GIC

Eoin eoin.keary at owasp.org
Sun Jul 31 13:42:41 EDT 2011


HI Marco,
lets do the call on Thursday as you have suggested.
Can you set up a conference bridge?
Eoin

On 31 July 2011 15:52, Marco M. Morana <marco.m.morana at gmail.com> wrote:

> Eoin et al
>
> Herein attached is a draft of a document that covers business cases for
> application security.
>
> My idea is to expand this and put in a frame of an OWASP project such as
> OWASP Application Guide for CISOs.
>
> We could also include an analysis of your survey as part of it as well as
> other topics of CISO interest such as:
> 1) Strategic and tactical software security activities
> 2) Roadmap for software security adoption within the organization
> 3) Maturity of software security practices (e.g. SAMM, BSIMM, CMM)
> 4) Software security metrics and measures for CISOs, directors, dev
> managers
> 5) Security incidents and fraud: post mortem analysis
>
> I thought it would be nice to set up a conference call to talk about this
> and see if there is interest to contribute to this further for an OWASP
> project.
>
> How next Thursday August 4th  11 AM EST 7 AM PST for a conference looks
> like
> to you guys? If you can please let me know.
>
> With best regards
>
> Marco M.
>
>
>
> -----Original Message-----
> From: Eoin [mailto:eoin.keary at owasp.org]
> Sent: Saturday, July 30, 2011 8:34 AM
> To: Colin Watson
> Cc: Marco M. Morana; global_industry_committee at lists.owasp.org
> Subject: Re: [Global_industry_committee] Interim lead of GIC
>
> Well can we do a quick call next week to energise the team!
>
>
>
>
> On 30 Jul 2011, at 13:21, Colin Watson <colin.watson at owasp.org> wrote:
>
> > Just bumping this one.
> >
> > I was too busy to respond at the time, but will help if I can,
> >
> > Colin
> >
> > On 21/07/2011, Marco M. Morana <marco.m.morana at gmail.com> wrote:
> >> I will put something together to look at this weekend. Perhaps we can
> set
> up
> >> a conf call next week? I can set up one if you let me know date and time
> >> that work x you
> >>
> >> Cheers
> >> Marco
> >>
> >> Sent from my iPhone
> >>
> >> On Jul 21, 2011, at 7:02 AM, Eoin <eoin.keary at owasp.org> wrote:
> >>
> >>> this sounds like a Project?
> >>> Marco, Colin fancy doing this together?
> >>> I believe it would have real impact and high adoption if done properly.
> >>>
> >>>
> >>>
> >>> On 21 July 2011 02:04, Marco M. Morana <marco.m.morana at gmail.com>
> wrote:
> >>> Colin, Eoin
> >>>
> >>> Regarding ideas, it would be nice if we could provide some quantitative
> >>> risk
> >>> management criteria for the OWASP T10, for example by qualifying the
> >>> business impacts based upon the type of incident as result of exploit
> of
> a
> >>> T10 and the cost of the incident. I wrote an article for a banking
> >>> magazine
> >>> (AziendaBanca) in Italian and I thought it would be nice to translate
> it
> >>> and
> >>> expand this in a context of a OWASP project.
> >>>
> >>> The usefulness of such Business Impact Analysis project, from ISO (Info
> >>> Sec
> >>> Officer) perspective for example is that today, when confronting with a
> >>> choice to invest in software/application security there is no
> quantitative
> >>> criteria to decide how much we should spend and where. If I can
> quantify
> >>> the
> >>> costs in terms of business impact of an exploit of SQL injection
> >>> vulnerability for example, for a site with millions of users and I can
> >>> also
> >>> provide some criteria to decide to how much to spend in software
> security
> >>> measures and where to spend this will be very useful. Assuming the
> OWASP
> >>> T10
> >>> countermeasures are the choice for example is still not clear in which
> >>> process, software security activity, tools/policy I should put my
> focus,
> >>> this also include of course people/training.
> >>>
> >>> A criteria that could produce this data, will also serve the purpose to
> >>> make
> >>> the business case for software security, for example when such spending
> is
> >>> justifiable in terms of cost savings besides to remediate reactively
> >>> vulnerabilities or incident that exploit them also by comparing
> improved
> >>> efficiency e.g. fixing vulnerabilities early rather than late in the
> SDLC.
> >>>
> >>> Regarding the survey, If I remember well, but not 100% sure, I think
> >>> specific questions to profile the person responding the survey is
> missing
> >>> or
> >>> not mandatory I think that capturing the role and responsibility of who
> >>> submits it, as being this a software developer, security consultant or
> >>> security manager/CISO is of critical importance.
> >>>
> >>> I think what is really important in a survey, is to try to get some
> data
> >>> to
> >>> really understand what drives software security adoption for
> organizations
> >>> today, per different types of vertical. For example is it because of
> >>> compliance? Is it because of an incident the company had? Who is
> driving
> >>> it
> >>> from organizational level? Which approach is used? Is it top down (ala
> >>> Bill
> >>> Gates memo) or is bottom up from operations. Is it driven by outside
> >>> consulting services or by inside teams? I think also we should try to
> map
> >>> the survey to the OWASP project offering. For example from the survey
> we
> >>> could gather that certain industry sectors are less mature than others
> and
> >>> that some software security processes are more adopted than others.
> Based
> >>> upon this info we could better drive out focus in the areas that are
> less
> >>> mature and need more dent from OWASP funding and projects.
> >>>
> >>> Regards
> >>>
> >>> Marco
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> -----Original Message-----
> >>> From: global_industry_committee-bounces at lists.owasp.org
> >>> [mailto:global_industry_committee-bounces at lists.owasp.org] On Behalf
> Of
> >>> Colin Watson
> >>> Sent: Wednesday, July 20, 2011 4:59 AM
> >>> To: Eoin
> >>> Cc: global_industry_committee at lists.owasp.org
> >>> Subject: Re: [Global_industry_committee] Intrim lead of GIC
> >>>
> >>> Marco - thanks for your contribution to this, but I'd like to
> >>> reinforce Eoin's request.  The more knowledge you can shrea with us,
> >>> the better.
> >>>
> >>> Do we know if Joe is still a committee member, or did he just resign as
> >>> chair?
> >>>
> >>> Colin
> >>>
> >>> On 20 July 2011 09:34, Eoin <eoin.keary at owasp.org> wrote:
> >>>> Congrats Rex, can the GIC ask Kate to announce this to the leaders
> list?
> >>>> Marco I believe we would still value your input as a rep for industry
> >>> concerns, would it be possible to get a wish list from you and your
> peer
> >>> group of issues owasp could help address?
> >>>> Feedback on the industry survey would also be helpful.
> >>>> Eoin
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> On 20 Jul 2011, at 01:37, Rex Booth <rex.booth at owasp.org> wrote:
> >>>>
> >>>>> Marco,
> >>>>>
> >>>>> Much obliged.  I'd greatly appreciate your support and insight
> assuming
> >>>>> the rest of the committee agrees with this approach to the
> transition.
> >>>>>
> >>>>> Thanks,
> >>>>> Rex
> >>>>>
> >>>>> On 7/19/2011 6:38 PM, Marco M. Morana wrote:
> >>>>>> Rex
> >>>>>>
> >>>>>> I will happy to have you step in as president  of GIC and support
> you
> >>>>>> in
> >>> the endeavor as vice. That make sense since you have already been
> elected
> >>>>>>
> >>>>>> Regards
> >>>>>>
> >>>>>> Marco
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> Sent from my iPhone
> >>>>>>
> >>>>>> On Jul 19, 2011, at 4:13 PM, David Campbell<dcampbell at owasp.org>
> >>>>>> wrote:
> >>>>>>
> >>>>>>> Agreed. Rex was elected and had our support until Joe swept in :)
> >>>>>>>
> >>>>>>> I support Rex for this role.
> >>>>>>>
> >>>>>>> DC
> >>>>>>>
> >>>>>>>
> >>>>>>> On 7/19/2011 13:10, Rex Booth wrote:
> >>>>>>>> I'm interested in leading for a year (or as an interim).  For what
> >>> it's
> >>>>>>>> worth, I had been "elected" by the committee when I stepped aside
> >>>>>>>> for
> >>>>>>>> Joe to take over.  That said, I like Marco as well and certainly
> >>>>>>>> wouldn't object to his leadership.
> >>>>>>>>
> >>>>>>>> However, I don't agree that an industry guy needs to lead the
> >>>>>>>> committee.  The fact that one works in industry makes one no more
> or
> >>>>>>>> less able to lead our mission.  In fact, it may be the consultants
> >>>>>>>> who
> >>>>>>>> are used to interacting with a wide range of industry as clients
> who
> >>> are
> >>>>>>>> best able to execute our mission.
> >>>>>>>>
> >>>>>>>> Rex
> >>>>>>>>
> >>>>>>>> On 7/19/2011 1:34 PM, Eoin wrote:
> >>>>>>>>> Thanks Colin, I am aware I am shooting from the hip here. I
> believe
> >>> we need an industry rep to lead the gic and Marco is a great guy.
> >>>>>>>>> To do gic lead shall take a fair bit of work. Also re membership
> of
> >>> gic I don't believe that is a problem is we can find the correct
> >>> replacement?
> >>>>>>>>> Anyone else want to chime in?
> >>>>>>>>>
> >>>>>>>>> Eoin
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> On 19 Jul 2011, at 17:59, Colin Watson<colin.watson at owasp.org>
> >>> wrote:
> >>>>>>>>>
> >>>>>>>>>> Eoin
> >>>>>>>>>>
> >>>>>>>>>> That's sad to hear.  I guess Marco would need to become a
> >>>>>>>>>> committee
> >>>>>>>>>> member, but we should ask if anyone else on the committee is
> >>>>>>>>>> interested too in this interim role... and this email is
> prompting
> >>>>>>>>>> members to reply.  Yes, we could do without too big a gap - it
> was
> >>>>>>>>>> a
> >>>>>>>>>> problem at the start of the year.
> >>>>>>>>>>
> >>>>>>>>>> Regards
> >>>>>>>>>>
> >>>>>>>>>> Colin
> >>>>>>>>>>
> >>>>>>>>>> On 19 July 2011 17:21, Eoin<eoin.keary at owasp.org>   wrote:
> >>>>>>>>>>> Hello GIC,
> >>>>>>>>>>>
> >>>>>>>>>>> I am sorry to say that Joe has resigned from the position of
> GIC
> >>> leader.
> >>>>>>>>>>> May I suggest we offer the position to Marco Morana who works
> in
> >>> citi and
> >>>>>>>>>>> represents industry?
> >>>>>>>>>>> Thoughts please? as I'd like to offer him the position sooner
> >>> rather than
> >>>>>>>>>>> later.
> >>>>>>>>>>>
> >>>>>>>>>>> I believe he is willing to take on the role until we elect a
> new
> >>> leader with
> >>>>>>>>>>> a suitable profile.
> >>>>>>>>>>> Eoin
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> --
> >>>>>>>>>>> Eoin Keary
> >>>>>>>>>>> OWASP Global Board Member
> >>>>>>>>>>> OWASP Code Review Guide Lead Author
> >>>>>>>>>>>
> >>>>>>>>>>> https://twitter.com/EoinKeary
> >>>>>>>>>>> http://twitter.com/BCCRiskAdvisory
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> _______________________________________________
> >>>>>>>>>>> Global_industry_committee mailing list
> >>>>>>>>>>> Global_industry_committee at lists.owasp.org
> >>>>>>>>>>>
> https://lists.owasp.org/mailman/listinfo/global_industry_committee
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>> _______________________________________________
> >>>>>>>>> Global_industry_committee mailing list
> >>>>>>>>> Global_industry_committee at lists.owasp.org
> >>>>>>>>>
> https://lists.owasp.org/mailman/listinfo/global_industry_committee
> >>>>>>>> _______________________________________________
> >>>>>>>> Global_industry_committee mailing list
> >>>>>>>> Global_industry_committee at lists.owasp.org
> >>>>>>>>
> https://lists.owasp.org/mailman/listinfo/global_industry_committee
> >>>>>>> _______________________________________________
> >>>>>>> Global_industry_committee mailing list
> >>>>>>> Global_industry_committee at lists.owasp.org
> >>>>>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
> >>>>>> _______________________________________________
> >>>>>> Global_industry_committee mailing list
> >>>>>> Global_industry_committee at lists.owasp.org
> >>>>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
> >>>>>
> >>>>> _______________________________________________
> >>>>> Global_industry_committee mailing list
> >>>>> Global_industry_committee at lists.owasp.org
> >>>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
> >>>> _______________________________________________
> >>>> Global_industry_committee mailing list
> >>>> Global_industry_committee at lists.owasp.org
> >>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
> >>>>
> >>> _______________________________________________
> >>> Global_industry_committee mailing list
> >>> Global_industry_committee at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
> >>>
> >>>
> >>>
> >>>
> >>> --
> >>> Eoin Keary
> >>> OWASP Global Board Member
> >>> OWASP Code Review Guide Lead Author
> >>>
> >>> https://twitter.com/EoinKeary
> >>> http://twitter.com/BCCRiskAdvisory
> >>>
> >>>
> >>
>



-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

https://twitter.com/EoinKeary
http://twitter.com/BCCRiskAdvisory
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global_industry_committee/attachments/20110731/299ab930/attachment-0001.html 


More information about the Global_industry_committee mailing list