[Owasp-board] Questions regarding Developer outreach program

Jim Manico jim.manico at owasp.org
Mon Nov 23 23:55:41 UTC 2015

Now you're talking, Matt. The activities listed below are largely high value, IMO.

In terms of standards, DHS and IEEE are often way behind. The most useful standards relating to our mission are being built at the w3c and IETF. But maybe I'm missing something from DHS/IEEE that is appsec related.

Also, please consider donating some time to the OWASP ASVS. It's not perfect, but from what I have seen it's the best AppSec standard out there today.

Also, please consider finding a way to help add more security into common frameworks and languages with this effort. That's the #1 way to really help devs, IMO.

Jim Manico
Global Board Member
OWASP Foundation
Join me in Rome for AppSecEU 2016!

> On Nov 24, 2015, at 1:47 AM, Matt Konda <matt.konda at owasp.org> wrote:
> Johanna,
> It is totally fair that the proposal is not well fleshed out.  I put it out in that early state with the hope that folks would collaborate in putting detail into it and we would come up with an awesome way forward working together.
> To be clear though, it was never intended that a major portion of it would be funding travel to developer conferences.  I for one have already been doing that for years, as have many others, on our own dime.  So I think we all agree that's not what we want to do here.
> What it is about is: 
> Participating in DHS and IEEE standards efforts.  These organizations are moving forward with or without us and if we don't participate I think we risk losing our place as the de facto standard for application security.
> Making an investment in DevOps.  This includes conference and summit activities.  This is an area we have mixed results at so far but we have some active work happening that we can either leverage or let fall to the wayside.
> Building a data collection and metrics focused initiative so that we have something behind us when we say that X,Y,Z are the most important things going on and A,B,C work. 
> Building training content and capabilities.
> I look forward to your input.
> Matt
>> On Mon, Nov 23, 2015 at 5:33 PM, Jim Manico <jim.manico at owasp.org> wrote:
>> I agree with your concern, Johanna. Going to developer conferences feels good but it largely ineffective and does not really scale. Most of OWASP's efforts are on conferences in general, and I think we can do more in service of our mission. (By the same token I'm really proud of our staff and the work they do to put on amazing conferences).
>> I'd much rather spend these funds funding and working with popular software frameworks to provide additional automatic security controls where we can. This is how you change the AppSec world for the better, but its a huge leap from what we do today and most folks I've talked to in leadership are opposed to that kind of funding.
>> --
>> Jim Manico
>> Global Board Member
>> OWASP Foundation
>> https://www.owasp.org
>> Join me in Rome for AppSecEU 2016!
>>> On Nov 23, 2015, at 8:06 PM, johanna curiel curiel <johanna.curiel at owasp.org> wrote:
>>> Hi Board
>>> I do have some questions regarding this program
>>> So far I have not seen concrete plans but a quite vaguely defined plan with  a budget for 50K for 'engagement costs' for leaders (who also not clear) to conferences
>>> I do not see clear actions into this initiative. 
>>> $50K for work to help OWASP actively engage with developer communities.==>
>>> Which concrete actions and steps will be done  in order to engage the developer communities? 
>>> Where is the proposal explaining this?
>>> How will be the selection procedure of Project leaders to go to this 'conferences'? Will only be the 'board members or elected ember san dhow will this be done?
>>> Example, I don't see how someone that has no developer experience using certain programming language or that framework can engage a Developer community, so the action plan is quite important in order to justify this 'engagement' with chances to get results
>>> regards
>>> Johanna
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151124/ef2f96cb/attachment-0001.html>

More information about the Owasp-board mailing list