[Owasp-board] SWAMP+OWASP plan proposal integrated into QA project

johanna curiel curiel johanna.curiel at owasp.org
Sun Jun 8 12:15:07 UTC 2014

Hi Board

Enrico had some questions regarding getting a grants though DHS. Please
feel free to comment to further clarify my answers.

On Fri, Jun 6, 2014 at 6:27 PM, Enrico Branca <enrico.branca at owasp.org>

> Hi Johanna,
> Thank you for the links as I missed some details.
> As usual I have some questions:
> - can people outside USA participate/contribute?

I think so. I dont think we are limited to location since OWASP is a
foundations established in US. The management of the Grant in
administration terms is something that I think must be done from the
foundation and not an individual. So you directly might not apply, but
through OWASP.

> - if we participate and the project is worthy of a grant can
> people/groups outside us receive it through owasp?

My experience with grants is that they are very strict how to manage your
budget. Most of the times it is required that you pre-finance the project
and later on declare the costs. If the costs do not match the original
funding purpose, you wont get that money back, therefore is very important
people understand how that money is spend, declared and that is done within
the regulations of the grant/ Again, the budget needs to be managed from
OWASP once it gets paid and then you can receive that payment.

This grant for example(see attached file)
We as OWASP can participate because we match the mission/vission. Deadline
is September. Let's try it!

> - assuming somebody has tools to test for real software problems, but
> industry is looking for a small subset of it because nobody wants to
> know the hard problems, a supposed tool needs to follow the normal way
> or is possible to actually do something useful to find bad problems?

For grants, you need to match the mission/vision of your project with the
grant program. If it does not match you wont get the grant.
For example this grant:

> - assuming we have a tool able to detect bus, and assuming is the only
> tool available for doing that in a specific language, what happen if
> lots of bugs are found in current software? are they disclosed without
> restrictions? all remain inside dhs? any idea?

'Good questions, SWAMP has the possibility to test and let the tool be
"private". But I will confirm this info with them

> I have a very good idea of what is needed as I am working on a similar
> project and actually already have half of what is required, but before
> contributing I would like to have a very clear idea on the boundaries of
> the scope as for European professional working in security this can be
> very dangerous.

Well indeed, we need legal advice here. Like a while ago I though of a tool
to use social engineering and programming to break passwords. My brother
said to me I should be careful with that kind of tool because it can get me
in trouble. So we need advise in order to know we dont cross the legal

> Let me know if you have more info about this or more documentation I can
> read as I am really interested.
see attached file

> Regards,
> Enrico
> On 06/06/2014 23:46, johanna curiel curiel wrote:
> > I have created a proposal in the wiki for how we will integrate OWASP
> tools
> > into the SWAMP
> >
> > Phase one==> Starting next week
> > https://www.owasp.org/index.php/SWAMP_OWASP
> >
> >
> https://www.owasp.org/index.php/Proposal_Project_Review_QA_Approach#Code_Analysis_and_Continuous_Assurance_using_SWAMP
> >
> > I think this can serve us for further discussions with DHS SWAMP.
> >
> > Let me know your thoughts on this
> >
> > regards
> >
> > Johanna
> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140608/e186ee21/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: GRANTS-opportunities.pdf
Type: application/pdf
Size: 136754 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140608/e186ee21/attachment-0001.pdf>

More information about the Owasp-board mailing list