[Owasp-board] My 'guest blogger' post for http://www.gnucitizen.org/

Dinis Cruz dinis at ddplus.net
Fri Mar 2 11:03:59 UTC 2007

Hi guys,

Pdp from http://www.gnucitizen.org/ asked me to write a 'guest blog' entry
for his blog, and i came out with the post below, which turned out to be a
good intro to OWASP.

So, before it goes live (and since I will probably also post it in other
places) i just wanted to have your opinion on it (and see if you spot any

Let me know asap what you think,  since your feedback is all that is holding
this post from going live.



---------- Forwarded message ----------
From: Dinis Cruz <dinis at ddplus.net>
Date: Mar 2, 2007 10:54 AM
Subject: on OWASP
To: "pdp (architect)" <pdp.gnucitizen at googlemail.com>

Hello, on this guest blog post (thanks pdp) I would like to talk something
that is very important to me (I will write about .NET's partial trust next
time :) )

OWASP is the Open Web Application Security Project <http://www.owasp.org> (
http://www.owasp.org) which is an worldwide open community of like-minded
security professionals focused on improving the current state of Web
Application Security.

At OWASP I take the role of Chief OWASP Evangelist, and although I don't
like the title it gives me a good excuse to talk about OWASP , to promote
its projects and to speak at OWASP conferences and chapters. I  am also part
of the OWASP board (together with Jeff Williams, Andrew van der Stock and
Dave Wichers), lead the .Net Project
<http://www.owasp.org/index.php/Category:OWASP_.NET_Project>(help needed)
and organize the London Chapter

Professionally I have been generously rewarded for my contributions to
OWASP. In addition to the learning, meeting new people and conferences
participations, I can say that for the past 18 months every single paid
project that I was contracted to do, originated from contacts that I meet
via OWASP. So I have authority to say that actively participating in OWASP
can be very beneficial to your career (even if you don't care about the
great kudos and karma that will come with that participation).

At the OWASP projects
page<http://www.owasp.org/index.php/Category:OWASP_Project>you will
find numerous projects some of which I am sure you will find very

   - OWASP Top Ten
the new (still in consultation mode)OWASP T10 207 RC1
   - OWASP Testing
newly release document about application security testing procedures
   - Web Goat<http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project>-
 an online training environment for hands-on learning about
   - WebScarab<http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project>a
tool for performing all types of security testing on web applications
   web services (check out the new version:  WebScarab
   - CLASP <http://www.owasp.org/index.php/Category:OWASP_CLASP_Project>(Comprehensive,
Lightweight Application Security Process) - a project
   focused on defining process elements that reinforce application security
   - Live CD<http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project>-
a Linux based Live CD containing ready to use versions of OWASP tools
   - other tools projects: Site
   Report Generator<http://www.owasp.org/index.php/ORG_%2528Owasp_Report_Generator%2529>,
   CAL 9000<http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project>,
   Encoding Project<http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project>,
   LAPSE <http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project>,
   SQLiX <http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project>,
   JBroFuzz <http://www.owasp.org/index.php/Category:OWASP_JBroFuzz>,
   Orizon <http://www.owasp.org/index.php/Category:OWASP_Orizon_Project>,

   - other documentation projects: Code
   App Sec FAQ<http://www.owasp.org/index.php/Category:OWASP_AppSec_FAQ_Project>,
   Guide Project<http://www.owasp.org/index.php/Category:OWASP_Guide_Project>,
   Legal Project<http://www.owasp.org/index.php/Category:OWASP_Legal_Project>,
   AJAX Security
   Application Security Assessment
   Application Security
   Carrer Development<http://www.owasp.org/index.php/Category:OWASP_Career_Development_Project>,
   WASS (Web Application Security Standards)
   XML Security Gateway Evaluation
   - and technological specific projects:
   .Net <http://www.owasp.org/index.php/Category:OWASP_.NET_Project> and
   PhP <http://www.owasp.org/index.php/Category:OWASP_PHP_Project>

OWASP Foundation is a USA based 501c3 not-for-profit charitable organization
where all money made (from conferences, memberships and website
advertisement) goes back into OWASP. For example last year OWASP gave
sponsorships worth 35,000 USD under the OWASP Autumn of Code (AoC) activity
to 9 individuals (from around the world) to improve 9 OWASP projects. The
AoC was so successful that we are about to launch the SpoC (Spring of Code)
which will sponsor a larger number of projects (and hopefully take OWASP to
the next level).

Speaking from personal experience, the more you put in OWASP the more you
get out of it. Due to its openness and 'no-vendor-bullshit-here-please'
attitude (thanks Mark for that) OWASP tends to attract highly intelligent,
interesting and professional individuals (I am always humbled by the talent
that I meet at our conferences and chapter meetings). So if you haven't
already, please join us and make us better.

The first place to start should be a local OWASP chapter. As you can see in
the OWASP Chapter
page<http://www.owasp.org/index.php/Category:OWASP_Chapter>there are
currently 85 chapters around the world so you have plenty to chose
from (Argentina,  Atlanta, Austin, Austria (Vienna) , Bangalore , Barcelona
, Belgium , Boston, Boston, Brazil, Brisbane , Australia, Buffalo,
Charlotte, Chennai, Chicago, Chile , Cleveland, Colombia , Columbus, Delhi ,
Denmark, Denver , Edmonton, Canada, France , Ft Lauderdale, Germany, Greece
, Helsinki, Hong Kong, Houston, Hyderabad, Israel,  Italy , Kansas City,
Kerala , Kolkata, Kuwait, London, Long Island , Los Angeles , Luxembourg,
Madison , Malaysia , Manila , Melbourne, Memphis, Mexico City,
Minneapolis/St. Paul , Mumbai , Nashville , Netherlands, New York City, New
Zealand , Northern New Jersey, Omaha , Ottawa , Pakistan , Panama ,
Philadelphia , Phoenix , Pittsburgh , Riyadh , Rochester , Sacramento ,
Saint Louis , San Antonio , San Francisco , San Jose , Seattle , Singapore ,
South Korea , Switzerland , Sydney , Tainan , Tokyo , Toronto , Turkey ,
Vancouver , Washington (Maryland) , Washington (Virginia), Winnipeg
Manitoba). And if you are not close to one, check out the Chapter Leader
Handbook <http://www.owasp.org/index.php/Chapter_Leader_Handbook>and start

Since everything at OWASP is (and always will be) open and free (as in beer
and speech) you (and your companies) DON'T have to become OWASP members to
benefit from it (and to edit our WIKI based website). BUT, if you (and your
companies) benefit from OWASP, you should join as a member mainly for two
reasons: 1) publicly associate yourself with OWASP's goals and 2)
financially support the projects that you use (starting this year we are
asking new members to indicate which OWASP projects they would like their
membership fees to be used on).

And for the sceptics amongst you that are now asking, "humm.... what is the
catch? there must be a catch? there always is a catch!!!", .....well.....  I
think I will disappoint you when I say that there is no 'catch'. OWASP is an
open community, and we are just trying to make our online world safer and
more secure.

Just a final word to say that I am here to help, so feel free to contact me
on dinis.cruz at owasp dot net (and if I don't reply in a couple days, just
keep re-sending that email :) )

Thanks for reading,

Dinis Cruz
Chief OWASP Evangelist
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20070302/d6bc1e38/attachment-0002.html>

More information about the Owasp-board mailing list