[Owasp-board] Questions regarding Developer outreach program

johanna curiel curiel johanna.curiel at owasp.org
Tue Nov 24 00:54:31 UTC 2015


   - Participating in DHS and IEEE standards efforts.  These organisations
   are moving forward with or without us and if we don't participate I think
   we risk losing our place as the de facto standard for application security.

Matt, could you provide some specific references to these programs? In
which way can we contribute and be part of them?
Specifying more this information could help us define clear strategy with
the community I think. I think the OWASP Cheat Sheet is doing a great job
at this part, ASVS too. Maybe we should start ASVS guide for .NET, ASVS
guide for Java...
I don't know, some ideas.What I like from ASVS is that it provides a clear
guide of security controls and implementation, the only detail is that does
not provide a specific case code wise how to implement in a determine
framework/programming language

   - Making an investment in DevOps.  This includes conference and summit
   activities.  This is an area we have mixed results at so far but we have
   some active work happening that we can either leverage or let fall to the
   wayside.

I believe the staff such as Kelly does this wonderfully by being there and
provide information in a booth with other owasp volunteers. This is the way
I got involved with OWASP during a blackhat conference in EU and Martin
Knobloch explained me about OWASP and the projects
Again looking at strategies that for sure works to get people
involved.making investment in DevOps should be further defined. . What can
be different done to have more impact  into a more secure SDLC? Maybe more
about being a speaker and building or promoting OWASP documents for DevOps.
I think if Developers implement ASVS in their lifecycle as security
controls they already have covered many security issues.

   - Building a data collection and metrics focused initiative so that we
   have something behind us when we say that X,Y,Z are the most important
   things going on and A,B,C work.

Agree, 'if you can measure , you can manage'. What kind of data are we
looking here to gather? What kind of issues are 'hot' within the community?
I think we need to measure , create more surveys, gather
information...research

   - Building training content and capabilities.

Definitely. OWASP Academy is one initiative but the training I think should
be directed into helping developers implement proper security. Awareness
documents like OWASP Top Ten and the other Top Tens help in this process
but the question is content and results.How to invest on this and what kind
of return do we want to see?
Tim came with some ideas based on his experience and that gave me also some
idea

>>Also, please consider donating some time to the OWASP ASVS. It's not
perfect, but from what I have seen it's the best AppSec standard out there
today.

Not because you are a main volunteer on this, but I recently used it and is
an excellent document , practical and to the point to help build a secure
development life cycle

On Mon, Nov 23, 2015 at 7:47 PM, Matt Konda <matt.konda at owasp.org> wrote:

> Johanna,
>
> It is totally fair that the proposal is not well fleshed out.  I put it
> out in that early state with the hope that folks would collaborate in
> putting detail into it and we would come up with an awesome way forward
> working together.
>
> To be clear though, it was never intended that a major portion of it would
> be funding travel to developer conferences.  I for one have already been
> doing that for years, as have many others, on our own dime.  So I think we
> all agree that's not what we want to do here.
>
> What it is about is:
>
>    - Participating in DHS and IEEE standards efforts.  These
>    organizations are moving forward with or without us and if we don't
>    participate I think we risk losing our place as the de facto standard for
>    application security.
>    - Making an investment in DevOps.  This includes conference and summit
>    activities.  This is an area we have mixed results at so far but we have
>    some active work happening that we can either leverage or let fall to the
>    wayside.
>    - Building a data collection and metrics focused initiative so that we
>    have something behind us when we say that X,Y,Z are the most important
>    things going on and A,B,C work.
>    - Building training content and capabilities.
>
> I look forward to your input.
>
> Matt
>
> On Mon, Nov 23, 2015 at 5:33 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> I agree with your concern, Johanna. Going to developer conferences feels
>> good but it largely ineffective and does not really scale. Most of OWASP's
>> efforts are on conferences in general, and I think we can do more in
>> service of our mission. (By the same token I'm really proud of our staff
>> and the work they do to put on amazing conferences).
>>
>> I'd much rather spend these funds funding and working with popular
>> software frameworks to provide additional automatic security controls where
>> we can. This is how you change the AppSec world for the better, but its a
>> huge leap from what we do today and most folks I've talked to in leadership
>> are opposed to that kind of funding.
>>
>> --
>> Jim Manico
>> Global Board Member
>> OWASP Foundation
>> https://www.owasp.org
>> Join me in Rome for AppSecEU 2016!
>>
>> On Nov 23, 2015, at 8:06 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>> Hi Board
>>
>> I do have some questions regarding this program
>>
>> So far I have not seen concrete plans but a quite vaguely defined plan
>> with  a budget for 50K for 'engagement costs' for leaders (who also not
>> clear) to conferences
>>
>> I do not see clear actions into this initiative.
>>
>> $50K for work to help OWASP *actively engage* with developer
>> communities.==>
>>
>>    - Which concrete actions and steps will be done  in order to *engage*
>>    the developer communities?
>>    - Where is the proposal explaining this?
>>    - How will be the selection procedure of Project leaders to go to
>>    this 'conferences'? Will only be the 'board members or elected ember san
>>    dhow will this be done?
>>
>>
>> Example, I don't see how someone that has no developer experience using
>> certain programming language or that framework can engage a Developer
>> community, so the action plan is quite important in order to justify this
>> 'engagement' with chances to get results
>>
>> regards
>>
>> Johanna
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151123/3fc248a6/attachment.html>


More information about the Owasp-board mailing list