[Owasp-board] OWASP and Microsoft

Dinis Cruz dinis at ddplus.net
Mon Dec 10 17:08:00 UTC 2007

Hi Jeff,
I agree with you that the .NET project more focused on my past research.
That is something I don't agree with and wish I could find somebody to
create something like the OWASP Java Project.
I am also more than happy to add more leaders to this project (or even not
be the leader at all). The problem is finding that person.

The problem that we (OWASP) have with .NET is that Microsoft already has
quite a lot of very good security information online. So maybe a good start
would be to ask Microsoft if they allow us (namely the OWASP .NET project)
to grab the best security content from here  from

That would be a great start since there is lots of content in there that I
would like to expand on (and not have to create from scratch).

I actually had this idea when talking to Stefano while we were discussing
how to put more Flash stuff in OWASP and we come up with the idea that Adobe
should donate the IP of they security documentation (soon to be published)
to OWASP so that we can post it on our wiki and expand it.

So we could start with Microsoft and then make the same request to Adobe.

What do you think?

Regarding the separation between our roles I agree that that is something we
need to be aware. Tom is working on Governance so lets see what he comes up
with ;),  but I feel that the solution is to make explicit references to our
owasp-board actions. Everything else is done as an individual member.


On 11/29/07, Jeff Williams <jeff.williams at aspectsecurity.com> wrote:
>  Dinis,
> Had a conversation with Mark and Katie about Microsoft sponsorship and
> support to OWASP.  Their primary concern is that OWASP seems to have a
> negative slant against .NET which I think is unfortunate.  I haven't really
> looked at the .NET project in a long time (shame on me), but it seems that
> instead of providing information on how to use the platform securely, we
> have primarily focused on the bad stuff.
> I think providing security tools is great, even ones that help point out
> holes, but the spin is all wrong.  The .NET project should be a survey type
> project – capturing best practices and getting them out there in a useful
> fashion.  If we have a "working group" intended to get Microsoft to change
> their platform for the better, that's great.  It should be like a single
> link on a comprehensive page dedicated to .NET.
> I want to make the coverage more balanced – like the Java project.  If you
> have any problems with radically reworking the .NET project page to be more
> like the Java project, let me know.
> Also, as members of the board we need to be very careful about pushing our
> personal agendas.  When we speak in public it always appears as though we
> are speaking for OWASP.  I'm not sure how to address this issue as I know
> you are very passionate about certain topics (well really only sandboxes).
> Perhaps we need to be very clear when presenting whether we're talking from
> OWASP or Aspect or Ounce or DDPlus or whatever.
> Thanks,
> --Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20071210/4b61ac0f/attachment-0002.html>

More information about the Owasp-board mailing list