[Owasp-board] 2016 ideas

johanna curiel curiel johanna.curiel at owasp.org
Sat Nov 21 16:34:22 UTC 2015


Hi Jim & Board

'Developers come to us'... is indeed a moderate approach. I just finalised
a security project reviews developed by very serious companies in EU and it
amazes me that they were using CRSFGuard and even ESAPI.

There is a dependency and the reason why the PHPSEC users were angry at
OWASP, they were using the project for some serious development of
financial applications and counting on OWASP to secure them.

Since OWASP cannot offer a QA process review of its own projects, we should
be careful here and indeed, the approach to help improve existing
frameworks is more realistic and has less risks associated with reputation
issues to OWASP image

I would say that for the existing Flagship & LABS (libraries or code) we
should run a program through Hackerone or Bugbounty.(off course insecure
applications as WebGoat are out of scope ;-))

Again, maybe the focus should stop in trying to create libraries as Tim
said but focus the efforts into working on existing frameworks.

The reality is that creating security libraries is VERY hard and it has a
lot of consequences for OWASP image if serious issues are found as the case
of PHPSEC

regards

Johanna

On Sat, Nov 21, 2015 at 11:55 AM, Jim Manico <jim.manico at owasp.org> wrote:

> Folks,
>
> I'm feeling a bit more clarity on suggesting technical resource hires for
> 2016. Paul, these are just ideas to trigger strategic planning discussions
> and ideas. I agree that the final decisions around these hires is "all
> you".  I hope this email is taken in the spirt of "ideas to consider".
>
> 1) Wiki experts (previously discussed)
> 2) Web design expert (previously discussed)
> 3) Technical contractor or bounties to help augment the security of common
> software frameworks (big potential here)
> 4) Security assurance contractors or bounties to help review OWASP
> defensive projects
>
> The whole "developers, come to us" is only modestly effective.
> "Developers, we want to help and go to you" is a much more effective
> movement, IMO.
>
> Thinking a bit out of box here... If we spent significant funds in helping
> improve common software frameworks for security - we could really have a
> massive impact on the world at large. I'd love to see serious investment in
> this area....
>
> Aloha,
> --
> Jim Manico
> Global Board Member
> OWASP Foundation
> https://www.owasp.org
> Join me in Rome for AppSecEU 2016!
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151121/3f4e5fdd/attachment.html>


More information about the Owasp-board mailing list