[Owasp-board] Fwd: OWASP and Microsoft
dinis at ddplus.net
Thu Dec 27 23:51:37 UTC 2007
Hey Mark (and Andrew & Katie)
What do you think of the idea below of OWASP being given access to
MSDN or channel 9 content?
The catch is that we would have to release that content under the same
license we currently have in our website (CC).
It sounds to me like a win-win proposition
---------- Forwarded message ----------
From: Dinis Cruz <dinis at ddplus.net>
Date: Dec 10, 2007 5:08 PM
Subject: Re: OWASP and Microsoft
To: OWASP Board <owasp-board at lists.owasp.org>
I agree with you that the .NET project more focused on my past
research. That is something I don't agree with and wish I could find
somebody to create something like the OWASP Java Project.
I am also more than happy to add more leaders to this project (or even
not be the leader at all). The problem is finding that person.
The problem that we (OWASP) have with .NET is that Microsoft already
has quite a lot of very good security information online. So maybe a
good start would be to ask Microsoft if they allow us (namely the
OWASP .NET project) to grab the best security content from here from
That would be a great start since there is lots of content in there
that I would like to expand on (and not have to create from scratch).
I actually had this idea when talking to Stefano while we were
discussing how to put more Flash stuff in OWASP and we come up with
the idea that Adobe should donate the IP of they security
documentation (soon to be published) to OWASP so that we can post it
on our wiki and expand it.
So we could start with Microsoft and then make the same request to Adobe.
What do you think?
Regarding the separation between our roles I agree that that is
something we need to be aware. Tom is working on Governance so lets
see what he comes up with ;), but I feel that the solution is to make
explicit references to our owasp-board actions. Everything else is
done as an individual member.
On 11/29/07, Jeff Williams < jeff.williams at aspectsecurity.com> wrote:
> Had a conversation with Mark and Katie about Microsoft sponsorship and support to OWASP. Their primary concern is that OWASP seems to have a negative slant against .NET which I think is unfortunate. I haven't really looked at the .NET project in a long time (shame on me), but it seems that instead of providing information on how to use the platform securely, we have primarily focused on the bad stuff.
> I think providing security tools is great, even ones that help point out holes, but the spin is all wrong. The .NET project should be a survey type project – capturing best practices and getting them out there in a useful fashion. If we have a "working group" intended to get Microsoft to change their platform for the better, that's great. It should be like a single link on a comprehensive page dedicated to .NET.
> I want to make the coverage more balanced – like the Java project. If you have any problems with radically reworking the .NET project page to be more like the Java project, let me know.
> Also, as members of the board we need to be very careful about pushing our personal agendas. When we speak in public it always appears as though we are speaking for OWASP. I'm not sure how to address this issue as I know you are very passionate about certain topics (well really only sandboxes). Perhaps we need to be very clear when presenting whether we're talking from OWASP or Aspect or Ounce or DDPlus or whatever.
More information about the Owasp-board