[Owasp-board] HOST investment overview

Michael Coates michael.coates at owasp.org
Sun Apr 22 15:31:44 UTC 2012


Yes, let's have a call to understand more.  I won't be free till Friday though.


Kate, can you set something up?  I'm available on Friday at anytime except 11-11:30am and 1-2pm (Pacific)




-------
Michael Coates | OWASP
michael.coates at owasp.org | @_mwc



On Apr 20, 2012, at 11:09 AM, Eoin wrote:

> Can we have a call with them next week???
> 
> 
> Eoin Keary
> BCC Risk Advisory
> Owasp Global Board
> +353 87 977 2988
> 
> 
> On 20 Apr 2012, at 17:16, Michael Coates <michael.coates at owasp.org> wrote:
> 
>> This sounds like a great opportuntiy.  What is our time table for responses? 
>> 
>> 
>> -------
>> Michael Coates | OWASP
>> michael.coates at owasp.org | @_mwc
>> 
>> 
>> 
>> On Apr 20, 2012, at 8:40 AM, Kate Hartmann wrote:
>> 
>>> Board, I spoke with John a couple of weeks ago and again last night.  DHS would like to contribute $25,000 to directly support some OWASP projects!  Please read the email from John and provide some feedback/discussion so we can outline some next steps. 
>>> 
>>> I have discussed this with Jason and he will bring the GPC into the conversation.
>>> 
>>> Kate Hartmann
>>> Operations Director
>>> 301-275-9403
>>> www.owasp.org
>>> Skype:  Kate.hartmann1
>>> 
>>> From: jmw oss-institute.org [mailto:jmw at oss-institute.org] 
>>> Sent: Friday, April 20, 2012 11:06 AM
>>> To: Kate Hartmann
>>> Cc: Josh Davis
>>> Subject: HOST investment overview
>>> 
>>> Friday, 20 April 2012
>>> 
>>> Kate Hartmann, please meet Joshua Davis.  Josh is with Georgia Tech Research Institute and is the PI on the DHS HOST program.  Josh and I are leading the effort to identify and connect with investment opportunities for the HOST program.
>>> 
>>> Now, as we discussed yesterday, our team has come up with an initial idea of some efforts that we think might be good targets for investment on behalf of DHS/HOST.  These are simply our suggestions based on our external observations, so if you think there are other efforts that are more appropriate/more likely to provide results in line with what we're trying to do/or simply a better investment for the amount and type of funds we can provide, then please let us know.  Our ultimate goal is to help you guys become MORE successful and not to cram a square peg down a round hole.
>>> 
>>> First, also let me repeat what we define as "success" for this effort.  The DHS Homeland Open Security Technology (HOST) program (http://www.cyber.st.dhs.gov/host/) is a multi-year effort sponsored by the DHS Science & Technology Directorate whose mission is to identify and help facilitate adoption and use of open source software solutions within government systems that ultimately support national cybersecurity objectives.  In this capacity, DHS strives to be a thought leader in helping to identify and facilitate development and adoption of open source projects which are ultimately self-sustaining and bring value to the entire community of users -- government, industry, academic and open source community.  We do not wish to serve as a single funder of any activity, but to help encourage and drive innovation.  What we need in response to these investments is documentation of where the money goes and results of effort; acknowledgement of participation -- we're not looking to take credit for your efforts, but to be recognized as a participant and supporter of your efforts; opportunity to provide input, feedback, insights for efforts we help support; and finally, to build a productive, mutually-beneficial working relationship with your organization and hopefully to encourage others to provide sponsorship/contribution/help through our supporting your efforts.  We know these things take on a life of their own, so we don't want to get in the way, but we want to be able to help where appropriate and to help it grow and be successful.
>>> 
>>> With all that goodness in mind, here are the initial ideas we'd like to put out on the table and get your feedback:
>>> 
>>> 
>>> Open Web Application Security Project (OWASP)
>>> 
>>> 1) Enterprise Security API (ESAPI)
>>> 
>>> Description: Enterprise security api’s for remediation of OWASP Top 10 vulnerabilities. It has generic api's for each of these vulnerability. This is a great source where application developers can see how specific issues can be remediated. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development.
>>> 
>>> Impact: Associate DHS S&T with improving a technology used by Amex, Apache, Booz Allen Hamilton, Aspect security, Foundstone (McAfee), The Hartford, Infinite Campus, Lockheed Martin, MITRE, SPAWAR, World Bank, SANS Institute; Use as a tool to engage the larger organizations; Use as tool for expanding collaboration with OWASP
>>> 
>>> 2) Code Review Guide
>>> 
>>> Description: Co-develop with OWASP a web security best practices guide that supports DHS and OWASP’s missions of “helping organizations with application security.”  Approach would be to devise a working group for leaders in this community, at an OWASP event or schedule a separately, co-author this guide.  The document would be published as both an OWASP and DHS S&T Guidance document.  NOTE: Additional market analysis is required to ensure proper alignment to market’s needs.
>>> 
>>> Impact: Provide all web developers a useful resource that DHS can continue to expand in the coming years; Use as tool for expanding collaboration with OWASP; Outreach tool directly targeting web developers and potential users of future HOST output
>>> 
>>> 3) ModSecurity Core Rule Set
>>> 
>>> Description: ModSecurity™ is a web application firewall engine that provides very little protection on its own. In order to become useful, ModSecurity™ must be configured with rules. In order to enable users to take full advantage of ModSecurity™ out of the box, Trustwave's SpiderLabs is providing a free certified rule set for ModSecurity™ 2.x. Unlike intrusion detection and prevention systems, which rely on signatures specific to known vulnerabilities, the Core Rules provide generic protection from unknown vulnerabilities often found in web applications, which are in most cases custom coded. The Core Rules are heavily commented to allow it to be used as a step-by-step deployment guide for ModSecurity™.  Allow HOST to expand inexpensively beyond Intrusion Detection (IDS).
>>> 
>>> Impact: Engage directly with “open data” groups within OWASP; Expand HOST program’s “stack” in regards to enterprise security; Use as tool for expanding collaboration with OWASP    
>>> 
>>> 
>>> As I mentioned, let's start off looking at an investment opportunity of $25,000 to be spread among these (or others) as appropriate.  There is a possibility of securing additional funds, but this is where we'd like to start to build the relationship.
>>> 
>>> Please reply back to both of us as we work as a team on this effort.
>>> 
>>> Again, I look forward to working with you and OWASP and thanks for doing what you're doing!  Keep up the great work.
>>> 
>>> V/r
>>> jmw
>>> 
>>> 
>>> 
>>> On 04/20/2012 08:45 AM, Kate Hartmann wrote:
>>> John, glad we could connect yesterday.  I’m looking forward to continuing that conversation.
>>> 
>>> Kate Hartmann
>>> Operations Director
>>> 301-275-9403
>>> www.owasp.org
>>> Skype:  Kate.hartmann1
>>> 
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>> 
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board



More information about the Owasp-board mailing list