[Owasp-board] Questions regarding Developer outreach program

johanna curiel curiel johanna.curiel at owasp.org
Tue Nov 24 00:32:13 UTC 2015


   - Participating in DHS and IEEE standards efforts.  These organisations
   are moving forward with or without us and if we don't participate I think
   we risk losing our place as the de facto standard for application security.

Matt, could you provide some specific references to these programs?
Specifying more this information could help us define clear strategy with
the community I think. I think the OWASP Cheat Sheet is doing a great job
at this part, ASVS and the testing guide too. Maybe we should start ASVS
guides for .NET, ASVS guide for Java...Take the ASVS and specify it for a
framework or API (Help implement security with specific test cases
I don't know, some ideas.

   - Making an investment in DevOps.  This includes conference and summit
   activities.  This is an area we have mixed results at so far but we have
   some active work happening that we can either leverage or let fall to the
   wayside.

I'm all in that we should support the presence in these conference and I
believe the staff such as Kelly does this wonderfully by being there and
provide information in a booth with other owasp volunteers. This is the way
I got involved with OWASP during a blackhat conference in EU and Martin
Knobloch explained me about OWASP and the projects
Again looking at strategies that for sure works to get people involved
making investment in DevOps should be further defined. . What can be
different done to have more impact  into a more secure SDLC? QA? Is about
implementing Verifications standards and ASVS does that. Are people
implementing these standards in their operations? You bet they are not ;-)

   - Building a data collection and metrics focused initiative so that we
   have something behind us when we say that X,Y,Z are the most important
   things going on and A,B,C work.

Agree, 'if you can measure , you can manage'. What kind of data are we
looking here to gather? What kind of issues are 'hot' within the community?
I think we need to measure , create more surveys, gather
information...research

   - Building training content and capabilities.

Definitely. OWASP Academy is one initiative but the training I think should
be directed into helping developers implement proper security. Awareness
documents like OWASP Top Ten and the other Top Tens help in this process
but the question is content and results.How to invest on this and what kind
of return do we want to see?

>>Also, please consider donating some time to the OWASP ASVS. It's not
perfect, but from what I have seen it's the best AppSec standard out there
today.

Not because you are a main volunteer on this Jim, but I recently used it
and is an excellent document , practical and to the point to help build a
secure development life cycle, software and for testing. What we need is to
take that document and promoted, create specific examples (as already
partially done by the Security Knowledge framework and expand the concept
Look at that Demo, that is an excellent source for DevOps and the testing
OWASP guide and construct specific controls and examples for different API's

https://demo.securityknowledgeframework.org

Maybe we are not aware of the actual tools OWASP has . We need to promote
and help improve these tools and create learning materials using all these
tools.

Regards

Johanna



On Mon, Nov 23, 2015 at 7:47 PM, Matt Konda <matt.konda at owasp.org> wrote:

> Johanna,
>
> It is totally fair that the proposal is not well fleshed out.  I put it
> out in that early state with the hope that folks would collaborate in
> putting detail into it and we would come up with an awesome way forward
> working together.
>
> To be clear though, it was never intended that a major portion of it would
> be funding travel to developer conferences.  I for one have already been
> doing that for years, as have many others, on our own dime.  So I think we
> all agree that's not what we want to do here.
>
> What it is about is:
>
>    - Participating in DHS and IEEE standards efforts.  These
>    organizations are moving forward with or without us and if we don't
>    participate I think we risk losing our place as the de facto standard for
>    application security.
>    - Making an investment in DevOps.  This includes conference and summit
>    activities.  This is an area we have mixed results at so far but we have
>    some active work happening that we can either leverage or let fall to the
>    wayside.
>    - Building a data collection and metrics focused initiative so that we
>    have something behind us when we say that X,Y,Z are the most important
>    things going on and A,B,C work.
>    - Building training content and capabilities.
>
> I look forward to your input.
>
> Matt
>
> On Mon, Nov 23, 2015 at 5:33 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> I agree with your concern, Johanna. Going to developer conferences feels
>> good but it largely ineffective and does not really scale. Most of OWASP's
>> efforts are on conferences in general, and I think we can do more in
>> service of our mission. (By the same token I'm really proud of our staff
>> and the work they do to put on amazing conferences).
>>
>> I'd much rather spend these funds funding and working with popular
>> software frameworks to provide additional automatic security controls where
>> we can. This is how you change the AppSec world for the better, but its a
>> huge leap from what we do today and most folks I've talked to in leadership
>> are opposed to that kind of funding.
>>
>> --
>> Jim Manico
>> Global Board Member
>> OWASP Foundation
>> https://www.owasp.org
>> Join me in Rome for AppSecEU 2016!
>>
>> On Nov 23, 2015, at 8:06 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>> Hi Board
>>
>> I do have some questions regarding this program
>>
>> So far I have not seen concrete plans but a quite vaguely defined plan
>> with  a budget for 50K for 'engagement costs' for leaders (who also not
>> clear) to conferences
>>
>> I do not see clear actions into this initiative.
>>
>> $50K for work to help OWASP *actively engage* with developer
>> communities.==>
>>
>>    - Which concrete actions and steps will be done  in order to *engage*
>>    the developer communities?
>>    - Where is the proposal explaining this?
>>    - How will be the selection procedure of Project leaders to go to
>>    this 'conferences'? Will only be the 'board members or elected ember san
>>    dhow will this be done?
>>
>>
>> Example, I don't see how someone that has no developer experience using
>> certain programming language or that framework can engage a Developer
>> community, so the action plan is quite important in order to justify this
>> 'engagement' with chances to get results
>>
>> regards
>>
>> Johanna
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151123/60be7363/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot 2015-11-23 20.22.26.png
Type: image/png
Size: 249343 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151123/60be7363/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot 2015-11-23 20.28.12.png
Type: image/png
Size: 164119 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151123/60be7363/attachment-0003.png>


More information about the Owasp-board mailing list