[Owasp-board] 2016 ideas

Michael Coates michael.coates at owasp.org
Sat Nov 21 19:28:36 UTC 2015


"I would say that for the existing Flagship & LABS (libraries or code) we
should run a program through Hackerone or Bugbounty.(off course insecure
applications as WebGoat are out of scope ;-))"

Yes. This would generate awareness, generate opportunities for new
volunteers and put a better control around our prominent code.


--
Michael Coates | @_mwc <https://twitter.com/intent/user?screen_name=_mwc>
OWASP Global Board





On Sat, Nov 21, 2015 at 8:34 AM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Hi Jim & Board
>
> 'Developers come to us'... is indeed a moderate approach. I just finalised
> a security project reviews developed by very serious companies in EU and it
> amazes me that they were using CRSFGuard and even ESAPI.
>
> There is a dependency and the reason why the PHPSEC users were angry at
> OWASP, they were using the project for some serious development of
> financial applications and counting on OWASP to secure them.
>
> Since OWASP cannot offer a QA process review of its own projects, we
> should be careful here and indeed, the approach to help improve existing
> frameworks is more realistic and has less risks associated with reputation
> issues to OWASP image
>
> I would say that for the existing Flagship & LABS (libraries or code) we
> should run a program through Hackerone or Bugbounty.(off course insecure
> applications as WebGoat are out of scope ;-))
>
> Again, maybe the focus should stop in trying to create libraries as Tim
> said but focus the efforts into working on existing frameworks.
>
> The reality is that creating security libraries is VERY hard and it has a
> lot of consequences for OWASP image if serious issues are found as the case
> of PHPSEC
>
> regards
>
> Johanna
>
> On Sat, Nov 21, 2015 at 11:55 AM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> Folks,
>>
>> I'm feeling a bit more clarity on suggesting technical resource hires for
>> 2016. Paul, these are just ideas to trigger strategic planning discussions
>> and ideas. I agree that the final decisions around these hires is "all
>> you".  I hope this email is taken in the spirt of "ideas to consider".
>>
>> 1) Wiki experts (previously discussed)
>> 2) Web design expert (previously discussed)
>> 3) Technical contractor or bounties to help augment the security of
>> common software frameworks (big potential here)
>> 4) Security assurance contractors or bounties to help review OWASP
>> defensive projects
>>
>> The whole "developers, come to us" is only modestly effective.
>> "Developers, we want to help and go to you" is a much more effective
>> movement, IMO.
>>
>> Thinking a bit out of box here... If we spent significant funds in
>> helping improve common software frameworks for security - we could really
>> have a massive impact on the world at large. I'd love to see serious
>> investment in this area....
>>
>> Aloha,
>> --
>> Jim Manico
>> Global Board Member
>> OWASP Foundation
>> https://www.owasp.org
>> Join me in Rome for AppSecEU 2016!
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151121/d8fcc832/attachment-0001.html>


More information about the Owasp-board mailing list