[Owasp-board] FW: [WEB SECURITY] WASC Threat Classification Project - Call for Participants

Jeff Williams jeff.williams at owasp.org
Wed Mar 14 17:24:37 UTC 2007


FYI

--Jeff

-----Original Message-----
From: Jeff Williams [mailto:jeff.williams at owasp.org] 
Sent: Wednesday, March 14, 2007 1:24 PM
To: 'Jeremiah Grossman'
Cc: Robert Auger
Subject: RE: [WEB SECURITY] WASC Threat Classification Project - Call for
Participants

Thanks Jeremiah,

I totally understand wanting to see what WASC can do.  When I asked about it
originally, I don't think Robert had announced the effort to update it.

I do hope we can get past any hard feelings from OWASP's past leadership. I
assure you that there is nothing but respect for the WASC participants on
this end. I hope to get to know you all better.  I think you'll find that
I'm a straight shooter and not political at all. Check out my bio from
Anurag in a few weeks ;-)

I think you're right that the best way to proceed is to start working
together and see what happens.  Perhaps there will be a SpoC project that
WASC wants to help with...

Talk to you soon.

--Jeff

Jeff Williams, Chair
The OWASP Foundation
Work: 410-707-1487
Main: 301-604-4882
"Dedicated to finding and fighting the causes of insecure software"

-----Original Message-----
From: Jeremiah Grossman [mailto:jeremiah at whitehatsec.com] 
Sent: Wednesday, March 14, 2007 1:13 PM
To: Jeff Williams
Cc: Robert Auger
Subject: Re: [WEB SECURITY] WASC Threat Classification Project - Call for
Participants

Hi Jeff,

	Thank you as well. We certainly haven't chatted enough in the past.

Let me loop Robert in on the conversation. He's of a cherished few  
that have really been stepping up and making things happen. I'll  
outline the topics and share my thoughts.

WASC has a lot to offer, but we're missing a few key pieces to fly.  
We're trying to rememdy.


1) Threat Classification
Over the past two years the TC has become a very important community  
document, but as with all things tech, its needs steady improvement.  
As expressed the challenge we've had in doing so in not contributors,  
but leaders, and there is only so many good ones to go around. From  
our conversation it seems we have the same issue between the orgs  
with many of the projects.

We appreciate your offer for resources to get the project going  
again, but I think Robert has managed to stimulate some activity and  
the mailing list is finally active.  Subscribe: wasc-threat- 
subscribe at webappsec.org if you are not already on it. We'll see if we  
can keep it going till completion.

If Robert finds he's having a hard time managing the project himself,  
or with suitable volunteer leader, we may want to revisit your offer  
to get a paid project coordinator. This document really needs to be  
supported by both our organizations and we'd value OWASP's input. Not  
only on the technical aspect, but perhaps helping to develop a  
mapping between the TC and the new OWASP Top 10. I noticed in the  
recent T10 draft, there is a chart in there. We'd like to provide the  
same but would need assistance.

You mentioned co-branding, I would be happy discuss options, and  
would like to get Robert's input as well.



2) Mailing List

I wasn't aware what SF had or hadn't done with your mailing list, but  
we did notice a drop in list traffic. I guess things turned out bad.  
Again, Robert is the sole list moderator, as he is the person most  
suited for the role. The popularity of our list is one of our main  
sources of value. Lost of good traffic and lots of subscribers. It  
would be nice for the community to start combining these resources  
and making it easy.

I'd like to see what Robert has to say on the matter...


3) Joining Forces

As I expressed on the phone, I broached the subject to our Officers  
some weeks back. The responses wasn't negative, but not  
overwhelmingly positive either and most preferred to wait. Many first  
want to see what WASC was capable as they see we're steadily growing.  
Other seemed to still feel slighted from past experiences from former  
OWASP leadership. My personal thought is those issues can be overcome  
and at this point it makes more sense for the community to have one  
open and central organization. Our goals appear to be more closely  
aligned than they have in years past. However, I'm not the sole voice  
of WASC and decisions like this would have to be unanimous.

Perhaps the best way to proceed in whatever outcome is to begin  
working more closely and collaboratively in our respective projects.  
We'll find the synergies and over time people will become more  
comfortable with the idea.

Regards,

Jeremiah-


On Mar 13, 2007, at 8:05 PM, Jeff Williams wrote:

> Jeremiah,
>
> Thanks for the time today - let me know where the WASC board comes  
> down.
> The OWASP Board is interested in pursuing this.  What would you think
> about having a single mailing list (yours)?  Since SF screwed up our
> list and we had to move it we basically lost all our subscribers.
>
> There's information about our courses on our website at
> http://www.aspectsecurity.com/training.htm
>
> --Jeff
>
> Jeff Williams, CEO
> Aspect Security
> Work: 410-707-1487
> Main: 301-604-4882
>
> -----Original Message-----
> From: Jeremiah Grossman [mailto:jeremiah at whitehatsec.com]
> Sent: Tuesday, March 13, 2007 1:07 PM
> To: jeff.williams at owasp.org
> Subject: Re: [WEB SECURITY] WASC Threat Classification Project - Call
> for Participants
>
> 408.492.1817 (Office), just ask for me. Im in and out of meetings
> constantly, so if for whatever reason Im not available, I give you a
> ring back as soon as I can. #?
>
>
>
>
> On Mar 12, 2007, at 8:22 PM, Jeff Williams wrote:
>
>> No problem.  I'm free in the afternoon both days.  What's the best
>> number to
>> reach you?  Here's my contact info.
>>
>> --Jeff
>>
>> Jeff Williams, Chair
>> The OWASP Foundation
>> Work: 410-707-1487
>> Main: 301-604-4882
>> "Dedicated to finding and fighting the causes of insecure software"
>>
>>
>> -----Original Message-----
>> From: Jeremiah Grossman [mailto:jeremiah at whitehatsec.com]
>> Sent: Monday, March 12, 2007 6:35 PM
>> To: jeff.williams at owasp.org
>> Cc: Michael Sutton; Robert Auger
>> Subject: Re: [WEB SECURITY] WASC Threat Classification Project -
>> Call for
>> Participants
>>
>> It didn't get lost. I'm just an idiot and it got filed in the wrong
>> folder in my email mess. My apologies. I'm Cc'ing Robert since he's
>> putting the new team together. In an event, I'm more than happy to
>> take a call. Just about anytime tomorrow or the next day is good....
>>
>>
>> Jer-
>>
>> On Mar 12, 2007, at 3:32 PM, Jeff Williams wrote:
>>
>>> Hi Michael,
>>>
>>> I sent the message below to Jeremiah a few weeks ago, but perhaps
>>> it got
>>> lost. If OWASP can provide some support to this project, I think
>>> that'd be
>>> great.  Let me know your thoughts.
>>>
>>> Thanks,
>>>
>>> --Jeff
>>>
>>>
>>> -----Original Message-----
>>> From: Jeff Williams [mailto:jeff.williams at owasp.org] On Behalf Of
>>> Jeff
>>> Williams
>>> Sent: Thursday, February 22, 2007 11:37 AM
>>> To: Jeremiah Grossman
>>> Subject: RE: WASC Threat Classification
>>>
>>> Hi Jeremiah,
>>>
>>> If there's interest in updating it on your part, OWASP could give a
>>> grant to
>>> a project leader as part of the "Spring of Code" that's just around
>>> the
>>> corner.  This approach seems to work pretty well and produced the
>>> Testing
>>> Guide in the "Autumn of Code" we just completed.  This time around
>>> we're
>>> going to grant close to $100K for cool projects.
>>>
>>> I think a collaborative effort between OWASP and WASC would be very
>>> well
>>> respected and could help raise awareness.  (Not asking for a lot of
>>> your
>>> time here).  I'd want the wiki to be the "working" version and we
>>> would
>>> periodically (quarterly, yearly) generate Word and PDF versions
>>> directly
>>> from the wiki.  (Rogan just finished the tool to do this).  We'd
>>> also link
>>> it in with all the related vulnerabilities, countermeasures, etc...
>>>
>>> If you're interested, let's get on the phone and discuss it.   
>>> Thanks,
>>>
>>> --Jeff
>>>
>>> Jeff Williams, Chair
>>> The OWASP Foundation
>>> work: 410-707-1487
>>> main: 301-604-4882
>>>
>>> "Dedicated to finding and fighting the causes of insecure software"
>>>
>>>
>>> -----Original Message-----
>>> From: Michael Sutton [mailto:msutton at spidynamics.com]
>>> Sent: Monday, March 12, 2007 2:37 PM
>>> To: Jeff Williams
>>> Subject: FW: [WEB SECURITY] WASC Threat Classification Project -
>>> Call for
>>> Participants
>>>
>>> Jeff,
>>>
>>> Since we'd spoken about this before I just wanted to ensure that
>>> you'd
>>> seen the post. I know that they're interested in all of the help  
>>> that
>>> they can get.
>>>
>>> Take care,
>>>
>>> Michael
>>>
>>> -----Original Message-----
>>> From: robert at webappsec.org [mailto:robert at webappsec.org]
>>> Sent: Saturday, March 10, 2007 7:41 PM
>>> To: websecurity at webappsec.org
>>> Subject: [WEB SECURITY] WASC Threat Classification Project - Call  
>>> for
>>> Participants
>>>
>>> Hello everyone,
>>>
>>> I'm sending this email to the list seeking people to contribute
>>> towards
>>> The Threat Classification
>>> Version 2.0. Time has passed since the initial TC release, and it's
>>> important to keep this widely
>>> utilized document up to date.
>>>
>>> Project Homepage
>>> http://www.webappsec.org/projects/threat/
>>>
>>> Interested participants can contact 'contact_ at _webappsec.org' with
>>> any
>>> questions.
>>>
>>> Regards,
>>>
>>> - Robert Auger
>>> robert_ at _webappsec.org
>>> http://www.webappsec.org/
>>>
>>> -------------------------------------------------------------------- 
>>> -
>
>>> -
>>> --
>>> ----
>>> Join us on IRC: irc.freenode.net #webappsec
>>>
>>> Have a question? Search The Web Security Mailing List Archives:
>>> http://www.webappsec.org/lists/websecurity/
>>>
>>> Subscribe via RSS:
>>> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>>
>>>
>>





More information about the Owasp-board mailing list