[Owasp-board] 2016 ideas

johanna curiel curiel johanna.curiel at owasp.org
Sun Nov 22 06:12:10 UTC 2015


To run a programma like hackerone we will need to verify the bugs found
We could start with a pilot For CRSFGuard and Dependency Check projects
I volunteer to manage the programma For these projects
I can set a plan to determine the scope of the program with The project
leaders and make sure we verify the
veracity of the reported bugs

What does The board need from me in order to approve my proposal?

On Saturday, November 21, 2015, Michael Coates <michael.coates at owasp.org>
wrote:

> "I would say that for the existing Flagship & LABS (libraries or code) we
> should run a program through Hackerone or Bugbounty.(off course insecure
> applications as WebGoat are out of scope ;-))"
>
> Yes. This would generate awareness, generate opportunities for new
> volunteers and put a better control around our prominent code.
>
>
> --
> Michael Coates | @_mwc <https://twitter.com/intent/user?screen_name=_mwc>
> OWASP Global Board
>
>
>
>
>
> On Sat, Nov 21, 2015 at 8:34 AM, johanna curiel curiel <
> johanna.curiel at owasp.org
> <javascript:_e(%7B%7D,'cvml','johanna.curiel at owasp.org');>> wrote:
>
>> Hi Jim & Board
>>
>> 'Developers come to us'... is indeed a moderate approach. I just
>> finalised a security project reviews developed by very serious companies in
>> EU and it amazes me that they were using CRSFGuard and even ESAPI.
>>
>> There is a dependency and the reason why the PHPSEC users were angry at
>> OWASP, they were using the project for some serious development of
>> financial applications and counting on OWASP to secure them.
>>
>> Since OWASP cannot offer a QA process review of its own projects, we
>> should be careful here and indeed, the approach to help improve existing
>> frameworks is more realistic and has less risks associated with reputation
>> issues to OWASP image
>>
>> I would say that for the existing Flagship & LABS (libraries or code) we
>> should run a program through Hackerone or Bugbounty.(off course insecure
>> applications as WebGoat are out of scope ;-))
>>
>> Again, maybe the focus should stop in trying to create libraries as Tim
>> said but focus the efforts into working on existing frameworks.
>>
>> The reality is that creating security libraries is VERY hard and it has a
>> lot of consequences for OWASP image if serious issues are found as the case
>> of PHPSEC
>>
>> regards
>>
>> Johanna
>>
>> On Sat, Nov 21, 2015 at 11:55 AM, Jim Manico <jim.manico at owasp.org
>> <javascript:_e(%7B%7D,'cvml','jim.manico at owasp.org');>> wrote:
>>
>>> Folks,
>>>
>>> I'm feeling a bit more clarity on suggesting technical resource hires
>>> for 2016. Paul, these are just ideas to trigger strategic planning
>>> discussions and ideas. I agree that the final decisions around these hires
>>> is "all you".  I hope this email is taken in the spirt of "ideas to
>>> consider".
>>>
>>> 1) Wiki experts (previously discussed)
>>> 2) Web design expert (previously discussed)
>>> 3) Technical contractor or bounties to help augment the security of
>>> common software frameworks (big potential here)
>>> 4) Security assurance contractors or bounties to help review OWASP
>>> defensive projects
>>>
>>> The whole "developers, come to us" is only modestly effective.
>>> "Developers, we want to help and go to you" is a much more effective
>>> movement, IMO.
>>>
>>> Thinking a bit out of box here... If we spent significant funds in
>>> helping improve common software frameworks for security - we could really
>>> have a massive impact on the world at large. I'd love to see serious
>>> investment in this area....
>>>
>>> Aloha,
>>> --
>>> Jim Manico
>>> Global Board Member
>>> OWASP Foundation
>>> https://www.owasp.org
>>> Join me in Rome for AppSecEU 2016!
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> <javascript:_e(%7B%7D,'cvml','Owasp-board at lists.owasp.org');>
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> <javascript:_e(%7B%7D,'cvml','Owasp-board at lists.owasp.org');>
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151122/2647a4a2/attachment.html>


More information about the Owasp-board mailing list