[Owasp-board] Ideas for OWASP to work with Microsoft

Jeff Williams jeff.williams at owasp.org
Fri Sep 3 05:35:50 UTC 2010

Let’s discuss how to engage with major software vendors at the conference.
I think that they probably won’t understand the value proposition that we’re
offering here.  This will lead to either no response or a bad response to an
open letter like this.


I think we need to approach organizations with an offer that makes good
business sense for them.  They need to get something out of the
relationship.  And we need to spell that out very clearly for them.


I think that rather than proposing a laundry list of individual projects,
everything we propose should be in the context of building security
ecosystems around technologies. We can do this quite easily and the vendors
probably cannot.  That’s the value proposition for working with OWASP.


BTW – the description of “security ecosystems” you have below is waaaay





From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of dinis cruz
Sent: Monday, August 30, 2010 4:28 AM
To: OWASP Foundation Board List
Subject: [Owasp-board] Ideas for OWASP to work with Microsoft


(Sorry for the delay in sending this) Following the email thread a while
back on what we should be doing here at OWASP-DotNet (and while I was on the
OWASP/O2 tour), I wrote down an email to Microsoft (include below) which I
think represents all the areas we could work together and ends up with the
parts that I think we should focus here at Owasp-dotnet.

My original plan was to have sent this to you and Microsoft S before I got
to Seattle, but I was not able to pull it off (then after the tour I had a
project to complete, so only now I'm able to focus on this again)

I used the ideas that were mentioned during that email thread, and added
some of my thoughts/ideas.

So, what do you think? 

Ideally we should get an agreement amongst us about these topics and then
send it as an 'open letter' to Microsoft and (with some minor modifications)
to other .NET communities (for example Mono).


OWASP is a worldwide community focused on Web Application Security and is
trying to (amongst other things) to help developers to write secure code and

OWASP has grown quite spectacularly over the past couple years (from its
humble beginning at Mark Curphey's Coffee table), and is now a well
respected community of worldwide application security experts focused on Web
Application Security.

Traditionally there has been very little involvement between OWASP and
Microsoft (same problem happens for example with OWASP Java project and
Sun/Oracle, with OWASP and the PHP community , etc....), but we really
should try to reset this relationship and figure out a way to work better.

Here are some ideas of where OWASP and Microsoft could collaborate:

·        Participation of Microsoft at OWASP Conferences:

o   For example Steve Lipner was a KeyNote speaker at our last European
conference and there are a number of forthcoming conferences that Microsoft
could participate: Irvine CA (Sep) (main OWASP conference in the US),
Ireland (Sep), Germany (Oct), Rochester NY (Oct), China (Oct), Austin TX
(Oct), Washington DC (Nov), Brazil SP (Nov), Portugal (Nov), BeNeLux NL

·        “OWASP/.NET Security” tour of OWASP Chapters

o   OWASP has currently a large number of active chapters (spread around the
world) that meet regularly to discuss web application security issues. In
order to maximize impact and minimize efforts, we could work together in an
OWASP/.NET tour where a number of Microsoft employees and other .NET
security experts would deliver a serious of presentations at multiple
chapters around the US or Europe or the World :). 

·        Participation on OWASP Local Chapter Training events and (when
set-up) the OWASP Academies

o   Following the successful London delivery “1 Day OWASP Focused” Training
courses (free to OWASP members) OWASP has decided to invest in this concept
and hiring an external resource to set-up a number of follow-up courses
deliveries in Europe (including a Tour of European Chapters). It would be
great to have direct participation of Microsoft on the .NET part of these

o   Note that part of the objectives of this activity is to create strong
connections with Universities, where they would host a number of these
courses AND one day provide the courses themselves (maybe as an OWASP
Academy (which is just an idea at the moment))

·        ESAPI.NET project

o   The .NET port of ESAPI really needs a direct relationship with
Microsoft. This is an area where OWASP is driving innovation in the
Application Security space by creating a security control library (with
Security Controls Interfaces and proof-of-concept Reference
Implementations). See the ESAPI main page for more details, and note that so
far there are active ports from the original J2EE implementation in : .NET,
Classic ASP, PHP, ColdFusion , Python, JavaScript, Force.com, Ruby, SwingSet

o   Note that the objective of OWASP is not to deliver 'commercially grade'
implementations of these controls, but to provide a common language to
describe what they should look like and reference implementations. The
objective would be that Microsoft's own frameworks, platforms and
applications should provide ESAPI compatible methods so that once developers
are knowledgeable in creating code using the ESAPI calls, they could use it
on the .NET's BCL, Microsoft Enterprise Library, SharePoint, WebMatrix, Web
Protection Library, etc...

*	Also related are the OWASP
<http://www.owasp.org/index.php/Category:OWASP_Encoding_Project>  Encoding
Project and .NET
<http://www.owasp.org/index.php/.NET_Web_Service_Validation>  WebService
Validation proof-of-concept 

·        OWASP Testing Guide and OWASP Code Review projects 

o   These OWASP projects are creating direct guidance for security
consultants and developers on how perform application security reviews from
an BlackBox (Testing Guide) and WhiteBox (Code Review) point of view. The
first release (available as a free download or a printed book) contains some
.NET guidance and examples, but a lot more is needed , and since the work on
the next version has just started, now is the perfect opportunity to be

·        OWASP Developers Guide

o   This OWASP project is focused on creating guidance for developers on how
to design and build security applications. This is quite an old OWASP
project and some of its content needs a major update, the good news is that
work is also just started on the next version, and specially since Microsoft
has such a large body of work on the topic of 'Secure coding' it is critical
that we work together so that the target audience get the best possible

·        OWASP Security Ecosystems

o   A new idea that we are experimenting at OWASP is the concept of creating
a place where all available security guidance about a particular technology,
platform or even application is normalized and presented in a easy to
consume format. See
http://www.owasp.org/index.php/Security_Ecosystem_Project for more details
about the concept.

·        Multiple versions of the OWASP Top 10 

o   There OWASP Top 10 is probably the most famous and successful OWASP
Project, and although it does a great job it would be great to have
'technologic specific variations' like for example:

§  OWASP Top 10 for .NET Framework

§  OWASP Top 10 for SharePoint

§  OWASP Top 10 for Silverlight

·        OWASP O2 Platform 

o   New OWASP project which contains a number of .NET Specific innovations
and a Static Analysis Engine. This topic will be covered on a separate

·        Threat Modeling for .NET

o   Although there is some crowds that think that Threat Modeling doesn't
work, there has been a lot of good work+tools and ideas developed by
Microsoft and there is a good number of OWASP leaders that have quite a lot
of interest in it (there are also some very interesting implications for
threat modeling of the code artifacts created by the O2 Platform)

·        OWASP DotNet project

o   Last (but not least) is the OWASP .NET Project. Although traditionally
there has been quite a lot of .NET related activity at OWASP (see examples
above), the OWASP .NET has struggled to find its place, focus and mission. 

o   Part of the problem has been the large body of .Net Security Knowledge
that Microsoft already provides, and its (the OWASP DotNet Project) focus on
developing tools, research and even strategic guidance that developers are
not that interested in

o   There is currently a large debate on the owasp-dotnet mailing list
which is trying to figure out the next steps for this project and the view
is that the OWASP DotNet project should focus on four areas:

§  being an active voice for Security Guidance on the 'places developers

§  StackOverflow 

§  Developer Conferences

§  MSDN mailing lists


§  providing security guidance on areas that the .NET developer community is
VERY interested in:

§  Asp.Net request visualization and security mapping

§  WCF visualization and security mapping

§  Asp.Net MVC

§  WebMatrix

§  CAT.NET and FxCop

§  SharePoint

§  Dynamic Languages (IronPython, IronRydy, etc..)

§  WebBased APIs (Authentication, Authorization, Cloud, etc...)

§  SilverLight Security (I have some question marks on this one since I'm
not sure how big the SilverLight development market actually is)

§  Writing .Net security Rules (both Black and While box)

§  Integrated with the multiple OWASP Guides (Testing, Code Review and

§  Consumable by scanning tools: Cat.Net, FxCop, Gendarme, O2 Platform, IBM,
Fortify, Armorize, WebInspect, Cenzic, etc...

§  organizing .NET Security Gatherings/Summits where clients, developers and
security experts come together to debate and work on .NET Security related

§  OWASP is in a unique location to facilitate these meetings since we have
active relationships with all parties and have already a track record of
creating very productive environments

§  See for example the OWASP Summit in Portugal
(http://www.owasp.org/index.php/OWASP_EU_Summit_2008) and OWASP ESAPI Summit
in DC (http://www.owasp.org/index.php/ESAPI_Summit)


Hopefully amongst the ideas presented above we can find a number were we can
collaborate on the short and medium term.

Best regards

The OWASP DotNet Project



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100903/093dde23/attachment-0002.html>

More information about the Owasp-board mailing list