[Owasp-board] OWASP & Adobe

Jeff Williams jeff.williams at owasp.org
Thu Jan 31 21:47:19 UTC 2008


Stefano,

Just wanted to let you know that I had a great meeting with the guys at
Adobe and they're ready to start helping with the Flash project.

They have some content that they'd like to make available through OWASP,
with the understanding that you'd be the "moderator" and help make sure the
information is balanced and maintains a "neutral point of view". Any
conflicts will be handled according to the Wikipedia Conflict of Interest
policy (using "talk" pages, etc...).

For their part, Adobe is looking into becoming a corporate member and is
agreeable to joining our (just forming) Board of Advisors. I'm really
looking forward to see what you all come up with.  Thanks!

--Jeff

Jeff Williams, Chair
The OWASP Foundation
work: 410-707-1487
main: 301-604-4882


-----Original Message-----
From: Peleus Uhley [mailto:puhley at adobe.com] 
Sent: Wednesday, January 23, 2008 7:34 PM
To: jeff.williams at owasp.org
Cc: Erick Lee; Lucas Adamski
Subject: RE: OWASP & Adobe


	We would be honored to be able to work with the OWASP board and
we appreciate your considering us.  I believe we have some availability
Friday between 10 and noon.  Would that work for you?

-Peleus

---------------- 
Peleus Uhley
Senior Security Researcher
Adobe Systems Inc.
puhley at adobe.com
(415) 832-5499 (desk)
(415) 596-9073 (cell)

 

> -----Original Message-----
> From: Jeff Williams [mailto:jeff.williams at owasp.org] 
> Sent: Wednesday, January 23, 2008 1:37 PM
> To: Peleus Uhley
> Cc: Erick Lee; Lucas Adamski
> Subject: RE: OWASP & Adobe
> 
> Hi Peleus,
> 
> Do you have some time this week to discuss the relationship 
> with OWASP?  I'm hoping we can formalize something where we 
> partner to create a source of free, unbiased information 
> about securing applications using Flash-related technologies.
> 
> We're also very interested in having Adobe to join our newly 
> forming Board of Advisors along with several other companies.
> 
> Thanks,
> 
> --Jeff
> 
> Jeff Williams, Chair
> The OWASP Foundation
> work: 410-707-1487
> main: 301-604-4882
> 
> 
> -----Original Message-----
> From: Peleus Uhley [mailto:puhley at adobe.com]
> Sent: Monday, January 21, 2008 6:08 PM
> To: Stefano Di Paola
> Cc: Dinis.Cruz at owasp.org; jeff.williams at owasp.org; 
> dave.wichers at owasp.org; tomb at owasp.org; seba at owasp.org; Erick 
> Lee; Lucas Adamski
> Subject: RE: OWASP & Adobe
> 
> Hello Stefano,
> 
> 	Since we haven't yet defined a formal relationship 
> between OWASP and Adobe, I thought I would go ahead and send 
> over some possible links for the Flash Security Project page 
> while we work out the details.  You can review them and 
> determine which ones are appropriate for the site.
> For the purposes of full disclosure, all of these links are 
> to projects or articles that Adobe is officially associated with.
> 
> Flash Validators:
> Data Validation Libraries for ActionScript 2.0 and 3.0 and 
> the Flash Authoring environment.
> http://code.google.com/p/flash-validators/
> 
> Flex 3.0 SDK:
> Includes data validation libraries for the Flex environment.
> http://labs.adobe.com/technologies/flex/sdk/
> 
> as3Corelib:
> The corelib project is an ActionScript 3 Library that 
> contains a number of classes and utilities for working with 
> ActionScript 3. These include classes for MD5 and SHA 1 
> hashing, web services security username token implementation, 
> and JSON serialization as well as several other classes.
> http://code.google.com/p/as3corelib/
> 
> Creating more secure SWF applications:
> An article describing common security concerns and data 
> validation techniques for ActionScript programmers.
> http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html
> 
> Security changes in Flash Player 9:
> Details important security changes to the crossdomain.xml and 
> socket policy file systems.  Everyone must migrate to these 
> new formats because, in the very near future, the old formats 
> will no longer be supported.
> http://www.adobe.com/devnet/flashplayer/articles/fplayer9_secu
rity.html
> 
> The Flash Player Development Center Security Section:
> List of the most recent articles by Adobe related to Flash Security.
> http://www.adobe.com/devnet/flashplayer/security.html
> 
> The Flash Player 9.0 Security Whitepaper:
> Explains the basic security model of the Flash Player.
> http://www.adobe.com/devnet/flashplayer/articles/flash_player_
> 9_security
> .pdf
> 
> 
> 	Let me know if you have any questions or concerns.
> 
> thanks,
> -Peleus
> 
> ----------------
> Peleus Uhley
> Senior Security Researcher
> Adobe Systems Inc.
> puhley at adobe.com
> (415) 832-5499 (desk)
> (415) 596-9073 (cell)
> 
>  
> 
> > -----Original Message-----
> > From: Stefano Di Paola [mailto:stefano.dipaola at mindedsecurity.com]
> > Sent: Wednesday, January 09, 2008 8:54 AM
> > To: Peleus Uhley
> > Cc: Dinis.Cruz at owasp.org; jeff.williams at owasp.org; 
> > dave.wichers at owasp.org; tomb at owasp.org; seba at owasp.org; Erick Lee; 
> > Lucas Adamski
> > Subject: Re: OWASP & Adobe
> > 
> > Hi Peleus,
> > 
> > First of all, let me say happy new year and welcome to the
> > project:) I think that an involvement of Adobe in the OWASP Flash 
> > security project would be a very good idea.
> > About the technical details on how Adobe should participate in the 
> > project, is probably a question which I'd prefer to redirect to the 
> > OWASP board.
> > In my opinion it could be interesting to set up a mailing list, 
> > moderated by me with some sort of co-moderation or, at 
> least, actively 
> > participated by you.
> > The same for what regards the content on OWASP Wiki, given 
> that OWASP 
> > community will be free to give any information about Flash security 
> > without any sort of censorship. :)
> > 
> > Anyway I think it would be a good start if Adobe were involved from 
> > the beginning.
> > 
> > I'll look forward to OWASP board replies.
> > 
> > Cheers,
> > Stefano
> > 
> > 
> > Il giorno ven, 04/01/2008 alle 16.29 -0800, Peleus Uhley ha scritto:
> > > Stefano,
> > > 
> > > 	I hope you had a good holiday break and a Happy New
> > Year.  I wanted
> > > to discuss with you the Flash Security section of the OWASP site.
> > > Adobe would like to contribute to the materials posted on
> > the web site.
> > > 	We realize that, as the authors of the software being
> > discussed,
> > > there may be potential conflicts of interest in our
> > involvement.  For
> > > instance, Adobe shouldn't moderate a message board or use
> > the site to
> > > post marketing materials :).  However, we do want to 
> reach out and 
> > > provide as much security related materials and information
> > that we can
> > > to the security community regarding Flash.
> > > 	Do you or the OWASP team have any guidance on how Adobe can 
> > > contribute to this project without infringing on OWASP's vendor 
> > > nuetrality and open community?  Should I forward my
> > suggestions to you
> > > for review or should I just go ahead and start posting links?  We 
> > > would like to be able to provide links to our most 
> current security 
> > > information in a positive manner that does not cross any ethical 
> > > boundaries.
> > > 	Please let us know how we can best work together.
> > > 
> > > thanks,
> > >   -Peleus
> > > 
> > > ----------------
> > > Peleus Uhley
> > > Senior Security Researcher
> > > Adobe Systems Inc.
> > > puhley at adobe.com
> > > (415) 832-5499 (desk)
> > > (415) 596-9073 (cell)
> > > 
> > > 
> > --
> > Stefano Di Paola
> > Chief Technology Officer, Lead Auditor ISO 27001 Minded Security - 
> > Application Security Consulting
> > 
> > Cell: +39 3209495590
> > Email: stefano.dipaola [at] mindedsecurity.com
> > 
> > Minded Security S.r.l.
> > Via Duca D'Aosta, n.20 50129 Firenze (FI) www.mindedsecurity.com
> > 
> > ______________________________________________________________
> > ___________________________________
> > 
> > Pay attention, this email is confidential. If you are not 
> authorized, 
> > or if you have received this message by mistake,please not 
> read, use 
> > or spread any piece of the information above.
> > 
> > 
> 
> 
> 





More information about the Owasp-board mailing list