[Owasp-board] SWAMP+OWASP plan proposal integrated into QA project
johanna curiel curiel
johanna.curiel at owasp.org
Sun Jun 8 14:25:25 UTC 2014
As far as I know this are only some of the major points that need to be
addressed before considering the application to the grant. I would love
to hear from a lawyer as I spent last two years looking into this but
not lately and maybe something changed.
some info last year at blackhat that might light up some info on this
On Sun, Jun 8, 2014 at 9:34 AM, Enrico Branca <enrico.branca at owasp.org>
> Thanks to the answers I now have a better understanding on US grants.
> Seems that to request a grant a project would need a budget and a
> sponsor/company to support it.
> From the business point of view I think I will check the project "OWASP
> Cyber Security Startup Initiative" and will get in touch with them at
> Appsec Europe.
> And for the legal part, contributing to the SWAMP initiative with a
> technology able to find bugs in languages not currently supported by
> SWAMP would be inline with a grant request, but I don't see how
> individuals could be able to safely contribute to it.
> For example, imagine an European citizen develops an automated tool able
> to find bugs in scripting languages (perl, python, etc..) and makes the
> tool publicly available in SWAMP.
> The tool would have a chance of finding previously unknown bugs in tools
> of general usage and potentially even in commercial tools, and the fact
> that is now in the public domain implies that everyone can use it how
> they please.
> Assuming the tool can be used offline, people could use it to attack any
> software they want to find bugs into, this could lead to the disclosure
> of a serious problem with wide consequences, and the person responsible
> for this would be the group that developed it (and that has attribution
> rights) in the first place.
> If this happens and the developer team has European members they could
> be held responsible for developing it and depending in which country
> they live this could be considered a crime, from a case with penal
> charges to a case were a developer could be seen as a terrorist.
> All this would not be applicable for projects related to documentation
> or guides but only for tool development, and nothing of this would apply
> for team working outside Europe.
> But tool projects having European contributors would need serious
> control over who can contribute and what is researched, as even sharing
> data between developers would have to be appropriately controlled due to
> European data privacy laws.
> As far as I know this are only some of the major points that need to be
> addressed before considering the application to the grant. I would love
> to hear from a lawyer as I spent last two years looking into this but
> not lately and maybe something changed.
> On 08/06/2014 14:19, Eoin Keary wrote:
> > Hey,
> > Similar to the guide grants for code review, Dev guide and testing guide
> I don't believe there are any restrictions.
> > The funds are to develop the projects rather than pay individual people..
> > Might be beat to clarify with DHS /Kevin Green?
> > Eoin Keary
> > Owasp Global Board
> > +353 87 977 2988
> > On 8 Jun 2014, at 13:15, johanna curiel curiel <johanna.curiel at owasp.org>
> >> Hi Board
> >> Enrico had some questions regarding getting a grants though DHS. Please
> feel free to comment to further clarify my answers.
> >> On Fri, Jun 6, 2014 at 6:27 PM, Enrico Branca <enrico.branca at owasp.org>
> >>> Hi Johanna,
> >>> Thank you for the links as I missed some details.
> >>> As usual I have some questions:
> >>> - can people outside USA participate/contribute?
> >> I think so. I dont think we are limited to location since OWASP is a
> foundations established in US. The management of the Grant in
> administration terms is something that I think must be done from the
> foundation and not an individual. So you directly might not apply, but
> through OWASP.
> >>> - if we participate and the project is worthy of a grant can
> >>> people/groups outside us receive it through owasp?
> >> My experience with grants is that they are very strict how to manage
> your budget. Most of the times it is required that you pre-finance the
> project and later on declare the costs. If the costs do not match the
> original funding purpose, you wont get that money back, therefore is very
> important people understand how that money is spend, declared and that is
> done within the regulations of the grant/ Again, the budget needs to be
> managed from OWASP once it gets paid and then you can receive that payment.
> >> This grant for example(see attached file)
> >> We as OWASP can participate because we match the mission/vission.
> Deadline is September. Let's try it!
> >>> - assuming somebody has tools to test for real software problems, but
> >>> industry is looking for a small subset of it because nobody wants to
> >>> know the hard problems, a supposed tool needs to follow the normal way
> >>> or is possible to actually do something useful to find bad problems?
> >> For grants, you need to match the mission/vision of your project with
> the grant program. If it does not match you wont get the grant.
> >> For example this grant:
> >>> - assuming we have a tool able to detect bus, and assuming is the only
> >>> tool available for doing that in a specific language, what happen if
> >>> lots of bugs are found in current software? are they disclosed without
> >>> restrictions? all remain inside dhs? any idea?
> >> 'Good questions, SWAMP has the possibility to test and let the tool be
> "private". But I will confirm this info with them
> >>> I have a very good idea of what is needed as I am working on a similar
> >>> project and actually already have half of what is required, but before
> >>> contributing I would like to have a very clear idea on the boundaries
> >>> the scope as for European professional working in security this can be
> >>> very dangerous.
> >> Well indeed, we need legal advice here. Like a while ago I though of a
> tool to use social engineering and programming to break passwords. My
> brother said to me I should be careful with that kind of tool because it
> can get me in trouble. So we need advise in order to know we dont cross the
> legal boundaries.
> >>> Let me know if you have more info about this or more documentation I
> >>> read as I am really interested.
> >> see attached file
> >> http://www.dhs.gov/dhs-financial-assistance
> >>> Regards,
> >>> Enrico
> >>> On 06/06/2014 23:46, johanna curiel curiel wrote:
> >>>> I have created a proposal in the wiki for how we will integrate OWASP
> >>>> into the SWAMP
> >>>> Phase one==> Starting next week
> >>>> https://www.owasp.org/index.php/SWAMP_OWASP
> >>>> I think this can serve us for further discussions with DHS SWAMP.
> >>>> Let me know your thoughts on this
> >>>> regards
> >>>> Johanna
> >> <GRANTS-opportunities.pdf>
> >> _______________________________________________
> >> Owasp-board mailing list
> >> Owasp-board at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board