[Owasp-board] OWASP Pledges?

Dinis Cruz dinis at ddplus.net
Tue Dec 12 17:45:17 UTC 2006


On the contrary this is great stuff

My only worry is how do we prevent abuse and somehow ensure that
people/companies do what they claim they do.

If we take the approach that we will not (for now) verify all or most claims
made, then we should:

   - Make the fact that the claims are not verified very clear (or at
   least that we don't check it unless there is an complain)
   - Create a workflow to allow for 'non compliance' claims to be
   verified (i.e. somebody claims to be compliant when it is not)
   - Make it as comprehensive as possible (and try to integrate as many
   OWASP projects in there as possible (for example the developers have to go
   through Web Goat and Site Generator))

Otherwise it is a great idea, i really like to potential of this, and the
opportunity to reward the companies that have those 5 items.

Actually we should add public verifiable items for each one (for example if
they they security team contact must be public and it must work :) )

Let's open the discussion to the owasp-leaders list

Dinis


On 12/8/06, Jeff Williams < jeff.williams at owasp.org> wrote:
>
>  Is this a dumb idea (of mine)?
>
>
>
> http://www.owasp.org/index.php/OWASP_Corporate_Application_Security_Pledge
>
>
>
> http://www.owasp.org/index.php/OWASP_Developer_Application_Security_Pledge
>
>
>
> --Jeff
>
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>


-- 
Dinis Cruz
Chief OWASP Evangelist, Are you a member yet?
http://www.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20061212/8d387608/attachment-0002.html>


More information about the Owasp-board mailing list