[Owasp-board] Fwd: Re: Fwd: Request to address the OWASP Board

Tobias tobias.gondrom at owasp.org
Sun Feb 23 01:45:15 UTC 2014


Dear board colleagues,
FYI
Best regards, Tobias


-------- Original Message --------
Subject: 	Re: [Owasp-board] Fwd: Request to address the OWASP Board
Date: 	Sun, 23 Feb 2014 01:15:54 +0000
From: 	Jeremiah Grossman <jeremiah at whitehatsec.com>
To: 	Tobias <tobias.gondrom at owasp.org>
CC: 	Sarah Baso <sarah.baso at owasp.org>



Completely fine to share. Thank you!



On Feb 22, 2014, at 5:14 PM, Tobias <tobias.gondrom at owasp.org
<mailto:tobias.gondrom at owasp.org>> wrote:

> Hi Jeremiah,
>
> thanks a lot for the info. And interesting point. ;-)
> If you wish and with your permission, I can share your reply with the
> board list.
> But as it will not aim for a vote on the day of Mar-3, it is not
> necessary.
> So your choice.
> Very much looking forward to hearing your ideas on Mar-3.
>
> Cheers and all the best, Tobias
>
>
> On 23/02/14 01:02, Jeremiah Grossman wrote:
>> Removing the board from the list as I’m obvious not on it.
>>
>>
>> Tobias,
>>
>> First, thank you very much. And second, your suspicions are correct.
>> While I’ve plenty of “ideas” to float by everyone, they’ve not been
>> fully vetted and certainly not something I think is anywhere near
>> board vote ready.
>>
>> The one I’ve been trying to get socialized for years is an OWASP run
>> application security certification (a variety of them actually).
>> While yet another crappy certification scares many people in the
>> community, and for good ISC2 reasons, I find they mostly disagree
>> with the implementation, but not the concept in general. That says to
>> me, if done well, if done right, this could fly, and do great things.
>> It would give people a real reason to become OWASP members.
>>
>> 1) OWASP sets the minimum standard of experience / skill for a
>> certification. The organization creates and curates the testing
>> question bank.
>>
>> 2) Any organization may then offer in-person / CBT training for those
>> wishing to be OWASP certified. Of course some will be better than
>> others, but this is a community issue.
>>
>> 3) An independent third-party professional testing facility, of which
>> there are many, is approved by OWASP… paid for by the test-taker will
>> then manage the testing processes.
>>
>> Everyone plays a role, all interests are in alignment, and hiring
>> managers may rejoice!
>>
>>
>> Anyway, that’s one…
>>
>>
>>
>> Regards,
>>
>> Jeremiah-
>>
>>
>> On Feb 22, 2014, at 10:02 AM, Tobias <tobias.gondrom at owasp.org
>> <mailto:tobias.gondrom at owasp.org>> wrote:
>>
>>> Hi Sarah,
>>>
>>> thanks.
>>> Yes, I think we should have sufficient time on the agenda.
>>> Could you please add the 20min slot for Jeremiah on Mar-3 agenda
>>> under "new business"?
>>>
>>> Thanks, Tobias
>>>
>>>
>>> Ps.: @Jeremiah: small comment: as mentioned before, if you have
>>> specific ideas or actionable items that you like the board to vote
>>> on, please send these questions before the meeting so people have
>>> time to think about them and involve the community for opinions. As
>>> you did not mention specific vote questions, I assume your talk is
>>> planned as food for thought and potential medium term ideas, but
>>> does not contain requests for immediate actions. (Of course, in the
>>> end nothing would prevent the board from voting during the meeting
>>> if it decides so.)
>>>
>>>
>>>
>>> On 21/02/14 02:50, Sarah Baso wrote:
>>>> Board Members -
>>>> See email from Jeremiah below regarding his request to speak with
>>>> the board. Please let him know if you are not able to accommodate
>>>> his requested time on March 3.
>>>>
>>>> Thanks,
>>>> Sarah
>>>>
>>>> ---------- Forwarded message ----------
>>>> From: *Jeremiah Grossman* <jeremiah at whitehatsec.com
>>>> <mailto:jeremiah at whitehatsec.com>>
>>>> Date: Fri, Feb 14, 2014 at 12:10 PM
>>>> Subject: Re: Request to address the OWASP Board
>>>> To: Sarah Baso <sarah.baso at owasp.org <mailto:sarah.baso at owasp.org>>
>>>> Cc: OWASP Foundation Board List <owasp-board at lists.owasp.org
>>>> <mailto:owasp-board at lists.owasp.org>>
>>>>
>>>>
>>>> Hi Sara (et al),
>>>>
>>>> Thank you, I much appreciate the opportunity. The ideal time for me
>>>> is March 3 at 9am PT.
>>>>
>>>> The subject I’d like to discuss is, "Growing the Application
>>>> Security Industry,” a topic that’s important to a great many people
>>>> in the industry and I suspect OWASP as an organization as well.
>>>> 20min should be enough to carry on a useful discussion.
>>>>
>>>> As requested for context, while the application security industry
>>>> has grown and grown up a lot over the years, it is still very small
>>>> by any comparison from where it needs to be. Consider, Gary McGraw
>>>> (CTO, Cigital) says roughly 2% of all programmers should be
>>>> software security pros through his BSIMM research. If so, then at a
>>>> worldwide programmer population of 17 million, we’ll be needing
>>>> 340,000 software security pros. I don’t have to tell you all, we’re
>>>> no where that. And don’t even get me started on the completley
>>>> inadequate level of monetary investment in the space relative to
>>>> other less important area of InfoSec.
>>>>
>>>> What I’m advocating everyone to consider, including the OWASP
>>>> board, is to begin looking at every community project, every
>>>> software and documentation initiative, and every donated dollar
>>>> spent to help closing this gap. Investing resources to increase
>>>> OWASP membership, increase the number of people using it’s
>>>> materials, and by extension the number of organizations that have
>>>> application security programs in general. And then look with a
>>>> skeptical eye for anything that doesn’t move the needle in that
>>>> direction.
>>>>
>>>> I have some ideas sure, but they are just that, ideas. What I think
>>>> we need most, is a new way of thinking about the AppSec industry.
>>>>
>>>> Does this help?
>>>>
>>>> Regards,
>>>>
>>>> Jeremiah Grossman
>>>> Founder & iCEO
>>>> WhiteHat Security
>>>>
>>>>
>>>> On Feb 13, 2014, at 6:01 PM, Sarah Baso <sarah.baso at owasp.org
>>>> <mailto:sarah.baso at owasp.org>> wrote:
>>>>
>>>>> Hi Jeremiah -
>>>>>
>>>>> I wanted to follow up on your request to address the board at an
>>>>> upcoming meeting.  The Board has meetings scheduled on February
>>>>> 24th from 8am-10am PST and a week later on March 3 from 7am-10am
>>>>> PST.  
>>>>>
>>>>> https://www.owasp.org/index.php/Board#tab=Agenda_for_2014_Meetings
>>>>>
>>>>> We can add you to the agenda for either of these meetings; however
>>>>> a couple of the board members have requested that something in
>>>>> writing (proposal/comments) beforehand would be helpful to chew on
>>>>> to make the time as useful as possible on the call.
>>>>>
>>>>> Let us know your availability and if you have anything specific
>>>>> for them to read in preparation.
>>>>>
>>>>> Best,
>>>>> Sarah Baso
>>>>>
>>>>> -- 
>>>>> Executive Director
>>>>> OWASP Foundation
>>>>>
>>>>> sarah.baso at owasp.org <mailto:sarah.baso at owasp.org>
>>>>> +1.312.869.2779 <tel:%2B1.312.869.2779>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>> -- 
>>>> Executive Director
>>>> OWASP Foundation
>>>>
>>>> sarah.baso at owasp.org <mailto:sarah.baso at owasp.org>
>>>> +1.312.869.2779
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>
>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140223/d5b0baa7/attachment-0001.html>


More information about the Owasp-board mailing list