[Owasp-board] FW: HOST investment overview

Kate Hartmann kate.hartmann at owasp.org
Fri Apr 20 15:40:07 UTC 2012

Board, I spoke with John a couple of weeks ago and again last night.  DHS
would like to contribute $25,000 to directly support some OWASP projects!
Please read the email from John and provide some feedback/discussion so we
can outline some next steps.  


I have discussed this with Jason and he will bring the GPC into the


Kate Hartmann

Operations Director


 <http://www.owasp.org/> www.owasp.org 

Skype:  Kate.hartmann1


From: jmw oss-institute.org [mailto:jmw at oss-institute.org] 
Sent: Friday, April 20, 2012 11:06 AM
To: Kate Hartmann
Cc: Josh Davis
Subject: HOST investment overview


Friday, 20 April 2012

Kate Hartmann, please meet Joshua Davis.  Josh is with Georgia Tech Research
Institute and is the PI on the DHS HOST program.  Josh and I are leading the
effort to identify and connect with investment opportunities for the HOST

Now, as we discussed yesterday, our team has come up with an initial idea of
some efforts that we think might be good targets for investment on behalf of
DHS/HOST.  These are simply our suggestions based on our external
observations, so if you think there are other efforts that are more
appropriate/more likely to provide results in line with what we're trying to
do/or simply a better investment for the amount and type of funds we can
provide, then please let us know.  Our ultimate goal is to help you guys
become MORE successful and not to cram a square peg down a round hole.

First, also let me repeat what we define as "success" for this effort.  The
DHS Homeland Open Security Technology (HOST) program
(http://www.cyber.st.dhs.gov/host/) is a multi-year effort sponsored by the
DHS Science & Technology Directorate whose mission is to identify and help
facilitate adoption and use of open source software solutions within
government systems that ultimately support national cybersecurity
objectives.  In this capacity, DHS strives to be a thought leader in helping
to identify and facilitate development and adoption of open source projects
which are ultimately self-sustaining and bring value to the entire community
of users -- government, industry, academic and open source community.  We do
not wish to serve as a single funder of any activity, but to help encourage
and drive innovation.  What we need in response to these investments is
documentation of where the money goes and results of effort; acknowledgement
of participation -- we're not looking to take credit for your efforts, but
to be recognized as a participant and supporter of your efforts; opportunity
to provide input, feedback, insights for efforts we help support; and
finally, to build a productive, mutually-beneficial working relationship
with your organization and hopefully to encourage others to provide
sponsorship/contribution/help through our supporting your efforts.  We know
these things take on a life of their own, so we don't want to get in the
way, but we want to be able to help where appropriate and to help it grow
and be successful.

With all that goodness in mind, here are the initial ideas we'd like to put
out on the table and get your feedback:

Open Web Application Security Project (OWASP)

1) Enterprise Security API (ESAPI)

Description: Enterprise security api's for remediation of OWASP Top 10
vulnerabilities. It has generic api's for each of these vulnerability. This
is a great source where application developers can see how specific issues
can be remediated. The ESAPI libraries are designed to make it easier for
programmers to retrofit security into existing applications. The ESAPI
libraries also serve as a solid foundation for new development.

Impact: Associate DHS S&T with improving a technology used by Amex, Apache,
Booz Allen Hamilton, Aspect security, Foundstone (McAfee), The Hartford,
Infinite Campus, Lockheed Martin, MITRE, SPAWAR, World Bank, SANS Institute;
Use as a tool to engage the larger organizations; Use as tool for expanding
collaboration with OWASP

2) Code Review Guide

Description: Co-develop with OWASP a web security best practices guide that
supports DHS and OWASP's missions of "helping organizations with application
security."  Approach would be to devise a working group for leaders in this
community, at an OWASP event or schedule a separately, co-author this guide.
The document would be published as both an OWASP and DHS S&T Guidance
document.  NOTE: Additional market analysis is required to ensure proper
alignment to market's needs.

Impact: Provide all web developers a useful resource that DHS can continue
to expand in the coming years; Use as tool for expanding collaboration with
OWASP; Outreach tool directly targeting web developers and potential users
of future HOST output

3) ModSecurity Core Rule Set

Description: ModSecurityT is a web application firewall engine that provides
very little protection on its own. In order to become useful, ModSecurityT
must be configured with rules. In order to enable users to take full
advantage of ModSecurityT out of the box, Trustwave's SpiderLabs is
providing a free certified rule set for ModSecurityT 2.x. Unlike intrusion
detection and prevention systems, which rely on signatures specific to known
vulnerabilities, the Core Rules provide generic protection from unknown
vulnerabilities often found in web applications, which are in most cases
custom coded. The Core Rules are heavily commented to allow it to be used as
a step-by-step deployment guide for ModSecurityT.  Allow HOST to expand
inexpensively beyond Intrusion Detection (IDS).

Impact: Engage directly with "open data" groups within OWASP; Expand HOST
program's "stack" in regards to enterprise security; Use as tool for
expanding collaboration with OWASP    

As I mentioned, let's start off looking at an investment opportunity of
$25,000 to be spread among these (or others) as appropriate.  There is a
possibility of securing additional funds, but this is where we'd like to
start to build the relationship.

Please reply back to both of us as we work as a team on this effort.

Again, I look forward to working with you and OWASP and thanks for doing
what you're doing!  Keep up the great work.


On 04/20/2012 08:45 AM, Kate Hartmann wrote: 

John, glad we could connect yesterday.  I'm looking forward to continuing
that conversation.


Kate Hartmann

Operations Director


www.owasp.org <http://www.owasp.org/>  

Skype:  Kate.hartmann1


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20120420/089bbaa6/attachment.html>

More information about the Owasp-board mailing list