[Owasp-board] Fwd: [Global_industry_committee] The Microsoft SDL Pro Network

Tom Brennan - OWASP tomb at owasp.org
Sat Nov 7 03:16:49 UTC 2009

see below in the event you missed it.

---------- Forwarded message ----------
From: Colin Watson <colin.watson at owasp.org>
Date: Wed, Oct 28, 2009 at 1:35 PM
Subject: Re: [Global_industry_committee] The Microsoft SDL Pro Network
To: Christian Heinrich <christian.heinrich at owasp.org>,
Global_industry_committee <Global_industry_committee at lists.owasp.org>


I spoke with Katie on Monday as a result of our approach.

The current 'SDL Pro Network' members are all either training or
consultancy organisations, and/or were involved in the development of
the project.  Katie can see an opportunity for OWASP to become a
member, but it would be a different type than these - OWASP's
importance, and significant developer audience, mean it is in a good
position to encourage the types of practices encouraged in lifecycle

The question is whether OWASP wants to become a member.  What (costs)
might that involve?

- referencing the Microsoft SDL / SDL Pro Network from the wiki
     - perhaps new pages about lifecycle issues, and referencing CLASP, SAMM
       and a new page about SDL Pro (and maybe others BSIMM, Cigital
       Security Touchpoints???)?
- allowing OWASP to be mentioned on the SDL Pro Network page as a member?
     - logo?
     - link?

At the moment there doesn't seem to be any obligation to contribute
resources in any way to the SDL effort, but I suspect the Global
Industry Committee and others would provide feedback on developer's
experiences and future public drafts and the like.  Would it weaken
CLASP or SAMM in any way?

OWASP would also need to consider whether its impartiality is in any
way affected, and also ensure it is not being seen to promote any
particular vendor.  OWASP materials already reference some vendor's
free and commercial products e.g.

Threat Risk Modeling

Does being a member of SDL Pro Network bring other benefits to OWASP?

- greater awareness?
- greater acceptance by commercial software development companies?

So we (OWASP) need to have a discussion.  Pravir and Andrew van der
Stock (Development Guide) would seem to be crucial to this. What are
people's views here, and how do you think we should proceed?


Colin Watson
Global Industry Committee
Global_industry_committee mailing list
Global_industry_committee at lists.owasp.org

Tom Brennan
(973) 506-9303

Don't miss the largest APPSEC focused event in 2009'
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20091106/e476be2b/attachment-0002.html>

More information about the Owasp-board mailing list