[Owasp-board] 2016 ideas

Jim Manico jim.manico at owasp.org
Mon Nov 23 23:09:21 UTC 2015


>  including systematically engaging with volunteers to do security audits, engaging with vendors to get their feedback, and building security checkpoints into the project maturity process.

These are all great (and fundamental) ideas. It would also cost us 20,000-30,000 a pop to do right (especially the security audit part). I do not think OWASP can afford to pay for real security audits for all projects and its not wise to trust project owners to do their own assurance work. Third party review is key.

Now if we can get vendors to do this work out of charity or trade for sponsorship, that would be awesome. But I have not had luck getting vendors to do 20,000-30,000$ of security library review work which is why I'm a fan of clearly scoped security bountys for our (very small number of) defensive libraries.

A quick example. A major government org reviewed ESAPI's crypto and missed major problems. Another vendor scanned ESAPI saying it was all clear when it had published major vulns. This kind of assurance is •hard work• and is easy to get wrong. This is another reason why I'm endorsing clearly scoped security bounties. I think an open "traditional" bug bounty would be a very bad idea. That is not (at all) what we are suggesting.

--
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org
Join me in Rome for AppSecEU 2016!

> On Nov 23, 2015, at 5:44 PM, Matt Konda <matt.konda at owasp.org> wrote:
> 
> including systematically engaging with volunteers to do security audits, engaging with vendors to get their feedback, and building security checkpoints into the project maturity process.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151124/6e3cb42c/attachment.html>


More information about the Owasp-board mailing list