[Owasp-board] Fwd: [Global_industry_committee] The Microsoft SDL Pro Network

Jeff Williams jeff.williams at owasp.org
Mon Nov 9 02:34:42 UTC 2009


I'm not sure exactly what the plans for the SDL Pro Network are.
http://msdn.microsoft.com/en-us/security/dd219581.aspx.  But it seems to be
pretty commercial and not particularly open.

 

I don't see what we gain from lending our name to this effort, since we can
already reference anything we want from our wiki.  And there's a danger that
we could lose a bit of our objectivity in the eyes of some.

 

I suggest that we 1) Should start to do comparisons between the various SDL
approaches out there.  2) Should NOT become too strongly aligned with any of
them, unless they are full OWASP projects.

 

--Jeff

 

 

 

From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Tom Brennan -
OWASP
Sent: Friday, November 06, 2009 10:17 PM
To: OWASP Foundation Board List
Subject: [Owasp-board] Fwd: [Global_industry_committee] The Microsoft SDL
Pro Network

 

see below in the event you missed it.

---------- Forwarded message ----------
From: Colin Watson <colin.watson at owasp.org>
Date: Wed, Oct 28, 2009 at 1:35 PM
Subject: Re: [Global_industry_committee] The Microsoft SDL Pro Network
To: Christian Heinrich <christian.heinrich at owasp.org>,
Global_industry_committee <Global_industry_committee at lists.owasp.org>


Christian

I spoke with Katie on Monday as a result of our approach.

The current 'SDL Pro Network' members are all either training or
consultancy organisations, and/or were involved in the development of
the project.  Katie can see an opportunity for OWASP to become a
member, but it would be a different type than these - OWASP's
importance, and significant developer audience, mean it is in a good
position to encourage the types of practices encouraged in lifecycle
security.

The question is whether OWASP wants to become a member.  What (costs)
might that involve?

- referencing the Microsoft SDL / SDL Pro Network from the wiki
     - perhaps new pages about lifecycle issues, and referencing CLASP, SAMM
       and a new page about SDL Pro (and maybe others BSIMM, Cigital
Software
       Security Touchpoints???)?
- allowing OWASP to be mentioned on the SDL Pro Network page as a member?
     - logo?
     - link?

At the moment there doesn't seem to be any obligation to contribute
resources in any way to the SDL effort, but I suspect the Global
Industry Committee and others would provide feedback on developer's
experiences and future public drafts and the like.  Would it weaken
CLASP or SAMM in any way?

OWASP would also need to consider whether its impartiality is in any
way affected, and also ensure it is not being seen to promote any
particular vendor.  OWASP materials already reference some vendor's
free and commercial products e.g.

Threat Risk Modeling
http://www.owasp.org/index.php/Threat_Risk_Modeling

Does being a member of SDL Pro Network bring other benefits to OWASP?
Perhaps:

- greater awareness?
- greater acceptance by commercial software development companies?

So we (OWASP) need to have a discussion.  Pravir and Andrew van der
Stock (Development Guide) would seem to be crucial to this. What are
people's views here, and how do you think we should proceed?

Regards

Colin Watson
Global Industry Committee
http://www.owasp.org/index.php/Global_Industry_Committee
_______________________________________________
Global_industry_committee mailing list
Global_industry_committee at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/global_industry_committee




-- 
Tom Brennan
http://www.linkedin.com/in/tombrennan
(973) 506-9303

Don't miss the largest APPSEC focused event in 2009'
http://www.owasp.org/index.php/OWASP_AppSec_DC_2009

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20091108/c5f6d1eb/attachment-0002.html>


More information about the Owasp-board mailing list