[Owasp-board] Strawman OWASP vision and mission
dave.wichers at owasp.org
Fri Jul 10 00:52:56 UTC 2009
On the mission side, I think we might want to add two things:
1) Add 'and language' to the framework developers comment.
2) I think we need to encourage consumers to ask for security and WHY
it's in their best interest to do so.
a. I actually think (maybe naively) that this might be the biggest
factor in the future influence of getting vendors to start focusing on
application security properly.
Should we organize the mission bullets into different audiences? Like
individual app producers, infrastructure producers, and consumers? Or
something like that? Maybe add assessment/consulting organizations as
targets for OWASP too?
From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Jeff Williams
Sent: Wednesday, July 08, 2009 12:05 AM
To: 'OWASP Foundation Board List'
Subject: [Owasp-board] Strawman OWASP vision and mission
As discussed on the phone today, here is a strawman writeup of our VISION
and MISSION. Comments are encouraged!
OWASP vision is how we expect the world to be in 3, 5, or 10 years. The
mission is how we will get there.
VISION: OWASP's vision is a world where it is possible for people to
understand the risks they are taking when they use software. In this world,
market forces drive the need for application security, not liability,
regulation, or compliance. In this world, software producers will want to
explain the security of their applications, how they were developed, and how
security was verified as a market differentiator. Organizations will
produce this assurance as a normal part of software development, balancing
their efforts across preparing, developing, verifying, and managing
application security. To achieve this, developers, architects, and business
owners will also have to work side-by-side with security people to ensure
that proper security controls are in place.
MISSION: Change the software market to one where application security is
. Bootstrap and encourage the introduction of application security
into the software market
. Raise awareness of application security to the point where every
developer, manager, architect, and end-user knows the basics
. Make the fundamental tools of application security free and open
. Create an unparalleled constantly evolving application security
. Help organizations understand the assurance people need, how to
build it, and how to communicate it
. Perform groundbreaking research in ways to achieve application
security cheaper, better, and faster
. Establish standards for everything in application security
(people, processes, technologies, services)
. Invent new ways to capture, visualize, and explain application
security to software consumers
. Build a community of application security researchers to advance
the state of the art
. Evaluate new technologies to understand what security they provide
and what is left to developers
. Help framework developers include security controls and make them
easy to use
. Provide support and incubation for technologies that deserve to be
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board