[Owasp-board] SWAMP+OWASP plan proposal integrated into QA project

johanna curiel curiel johanna.curiel at owasp.org
Sun Jun 8 14:25:25 UTC 2014


As far as I know this are only some of the major points that need to be
addressed before considering the application to the grant. I would love
to hear from a lawyer as I spent last two years looking into this but
not lately and maybe something changed.

some info last year at blackhat that might light up some info on this

https://www.youtube.com/watch?v=tyGrcXsqORA


On Sun, Jun 8, 2014 at 9:34 AM, Enrico Branca <enrico.branca at owasp.org>
wrote:

> Hi,
>
> Thanks to the answers I now have a better understanding on US grants.
> Seems that to request a grant a project would need a budget and a
> sponsor/company to support it.
>
> From the business point of view I think I will check the project "OWASP
> Cyber Security Startup Initiative" and will get in touch with them at
> Appsec Europe.
>
> And for the legal part, contributing to the SWAMP initiative with a
> technology able to find bugs in languages not currently supported by
> SWAMP would be inline with a grant request, but I don't see how
> individuals could be able to safely contribute to it.
>
> For example, imagine an European citizen develops an automated tool able
> to find bugs in scripting languages (perl, python, etc..) and makes the
> tool publicly available in SWAMP.
>
> The tool would have a chance of finding previously unknown bugs in tools
> of general usage and potentially even in commercial tools, and the fact
> that is now in the public domain implies that everyone can use it how
> they please.
>
> Assuming the tool can be used offline, people could use it to attack any
> software they want to find bugs into, this could lead to the disclosure
> of a serious problem with wide consequences, and the person responsible
> for this would be the group that developed it (and that has attribution
> rights) in the first place.
>
> If this happens and the developer team has European members they could
> be held responsible for developing it and depending in which country
> they live this could be considered a crime, from a case with penal
> charges to a case were a developer could be seen as a terrorist.
>
> All this would not be applicable for projects related to documentation
> or guides but only for tool development, and nothing of this would apply
> for team working outside Europe.
>
> But tool projects having European contributors would need serious
> control over who can contribute and what is researched, as even sharing
> data between developers would have to be appropriately controlled due to
> European data privacy laws.
>
> As far as I know this are only some of the major points that need to be
> addressed before considering the application to the grant. I would love
> to hear from a lawyer as I spent last two years looking into this but
> not lately and maybe something changed.
>
> Enrico
>
> On 08/06/2014 14:19, Eoin Keary wrote:
> > Hey,
> > Similar to the guide grants for code review, Dev guide and testing guide
> I don't believe there are any restrictions.
> >
> > The funds are to develop the projects rather than pay individual people..
> >
> > Might be beat to clarify with DHS /Kevin Green?
> >
> >
> >
> > Eoin Keary
> > Owasp Global Board
> > +353 87 977 2988
> >
> >
> > On 8 Jun 2014, at 13:15, johanna curiel curiel <johanna.curiel at owasp.org>
> wrote:
> >
> >> Hi Board
> >>
> >> Enrico had some questions regarding getting a grants though DHS. Please
> feel free to comment to further clarify my answers.
> >>
> >>
> >> On Fri, Jun 6, 2014 at 6:27 PM, Enrico Branca <enrico.branca at owasp.org>
> wrote:
> >>> Hi Johanna,
> >>>
> >>> Thank you for the links as I missed some details.
> >>>
> >>> As usual I have some questions:
> >>> - can people outside USA participate/contribute?
> >>
> >> I think so. I dont think we are limited to location since OWASP is a
> foundations established in US. The management of the Grant in
> administration terms is something that I think must be done from the
> foundation and not an individual. So you directly might not apply, but
> through OWASP.
> >>>
> >>> - if we participate and the project is worthy of a grant can
> >>> people/groups outside us receive it through owasp?
> >>
> >> My experience with grants is that they are very strict how to manage
> your budget. Most of the times it is required that you pre-finance the
> project and later on declare the costs. If the costs do not match the
> original funding purpose, you wont get that money back, therefore is very
> important people understand how that money is spend, declared and that is
> done within the regulations of the grant/ Again, the budget needs to be
> managed from OWASP once it gets paid and then you can receive that payment.
> >>
> >> This grant for example(see attached file)
> >> We as OWASP can participate because we match the mission/vission.
> Deadline is September. Let's try it!
> >>>
> >>> - assuming somebody has tools to test for real software problems, but
> >>> industry is looking for a small subset of it because nobody wants to
> >>> know the hard problems, a supposed tool needs to follow the normal way
> >>> or is possible to actually do something useful to find bad problems?
> >>
> >> For grants, you need to match the mission/vision of your project with
> the grant program. If it does not match you wont get the grant.
> >> For example this grant:
> >>
> http://www.grants.gov/search-grants.html?fundingCategories%3DST%7CScience%20and%20Technology%20and%20other%20Research%20and%20Development
> >>>
> >>> - assuming we have a tool able to detect bus, and assuming is the only
> >>> tool available for doing that in a specific language, what happen if
> >>> lots of bugs are found in current software? are they disclosed without
> >>> restrictions? all remain inside dhs? any idea?
> >>
> >> 'Good questions, SWAMP has the possibility to test and let the tool be
> "private". But I will confirm this info with them
> >>>
> >>> I have a very good idea of what is needed as I am working on a similar
> >>> project and actually already have half of what is required, but before
> >>> contributing I would like to have a very clear idea on the boundaries
> of
> >>> the scope as for European professional working in security this can be
> >>> very dangerous.
> >>
> >> Well indeed, we need legal advice here. Like a while ago I though of a
> tool to use social engineering and programming to break passwords. My
> brother said to me I should be careful with that kind of tool because it
> can get me in trouble. So we need advise in order to know we dont cross the
> legal boundaries.
> >>>
> >>> Let me know if you have more info about this or more documentation I
> can
> >>> read as I am really interested.
> >> see attached file
> >> http://www.dhs.gov/dhs-financial-assistance
> >>
> >>>
> >>> Regards,
> >>> Enrico
> >>>
> >>> On 06/06/2014 23:46, johanna curiel curiel wrote:
> >>>> I have created a proposal in the wiki for how we will integrate OWASP
> tools
> >>>> into the SWAMP
> >>>>
> >>>> Phase one==> Starting next week
> >>>> https://www.owasp.org/index.php/SWAMP_OWASP
> >>>>
> >>>>
> https://www.owasp.org/index.php/Proposal_Project_Review_QA_Approach#Code_Analysis_and_Continuous_Assurance_using_SWAMP
> >>>>
> >>>> I think this can serve us for further discussions with DHS SWAMP.
> >>>>
> >>>> Let me know your thoughts on this
> >>>>
> >>>> regards
> >>>>
> >>>> Johanna
> >>>>
> >>
> >> <GRANTS-opportunities.pdf>
> >> _______________________________________________
> >> Owasp-board mailing list
> >> Owasp-board at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-board
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140608/60d9e501/attachment-0001.html>


More information about the Owasp-board mailing list