[Owasp-cincinnati] FW: [Owasp-leaders] FYI - OWASP mentioned in a new NIST SP

Marco M. Morana marco.m.morana at gmail.com
Thu Nov 15 22:48:37 EST 2007


FYI - OWASP is mentioned as one of the resource in the newly announced
Technical Guide to Information Security Testing by NIST, SP 800-115.
<http://csrc.nist.gov/publications/drafts/sp800-115/Draft-SP800-115.pdf>
http://csrc.nist.gov/publications/drafts/sp800-115/Draft-SP800-115.pdf

 

Helen Gao

 

 

  _____  

From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Eoin
Sent: Wednesday, November 14, 2007 6:45 AM
To: Ofer Shezaf
Cc: OWASP Leaders
Subject: Re: [Owasp-leaders] What do you want OWASP to become?

Regarding Certification:

 

You (OWASP) only get one chance at this. If we do this too soon (not enough
structure, roles and repsonsabilities, budget) and it fails  we wont get
another chance or be taken to seriously.

 

Lets learn to consolidate our gains and walk for a while prior to running.


 

On 13/11/2007, Ofer Shezaf <OferS at breach.com> wrote: 

I did not take part in the debate until now, but I think one Item in Ferruh
response is so true that it is worth highlighting:

 

"Current state of OWASP is quite all right."

 

While I like many of the ideas raised, I think that OWASP is doing well and
progressing, so whatever we do change must be evolutionary rather than
revolutionary.

 

~ Ofer

 

From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Ferruh Mavituna
Sent: Tuesday, November 13, 2007 3:33 AM
Cc: OWASP Leaders
Subject: Re: [Owasp-leaders] What do you want OWASP to become?

 

>From OWASP Turkey Chapter,

 

1)      Certification is not required. It requires lots of resources and
it's way too commercial.

2)       Apache Foundation is a good example but also we believe OWASP
should not turn into a software development based organization.

3)       -

4)       Only "members" should pay money, not project leaders and chapter
leaders. Requesting money from chapter leaders or project leader is
unacceptable. Since they already spent lots of their time for OWASP. 

5)       Current state of OWASP is quite all right. Making it more formal
potentially not going to work and even in this state lots of chapters and
chapter leaders are not active enough. Getting more formal is not going to
help it either. 

6)       There are some recommendations:

a.        Generally we want changes, it's good. 

b.       Active chapters should be supported more and we should start to
eliminate inactive chapters. 


And it's in the wiki as well.


Cheers,

On 09/11/2007, Mark Curphey <mark at curphey.com> wrote: 

First and foremost I would like it to continue to be unique. Break new
ground, change the world, do good, continue to avoid the bs political / 
racial / cultural barriers found in the physical world etc. Be a happy place

free from petty politics and "vendors with agendas". In order to do that I
think it needs to morph a little (organic change). 

A really well funded community where open source ethos is still at the heart

of the project but it operates like a company or maybe more accurately
mini-country. An eCountry! Produce software, guidance, certification that 
all works together and compliments each other. This will be key to avoiding 
just a mass of stuff that's good but confusing. A roadmap and project plan
would be a good way to help this.  Consciously focus / force path on 
software security and not just web app pen testing. Focus on what matters 
and not just on what skill set is available. Engage the software security
people and banks / telcos / gov etc. Lobby in-justice (PCI-DSS), publically 
set right bs marketing FUD. Continue to make it fun for people to 
participate.

-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org 
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Ivan Ristic
Sent: Thursday, November 08, 2007 11:22 PM 
To: Dinis Cruz
Cc: OWASP Leaders 
Subject: Re: [Owasp-leaders] What do you want OWASP to become?

Some random thoughts:

* I think we should continue along the path we are on right now and
strengthen our positions. Continue to grow the network of Chapters, 
work on our conferences, and so on. Increase quality before expanding
to new venues.

* I also very much like the organisation of the Apache Foundation.

* We need to introduce concept of project incubation, minimal criteria 
required for a project to officially become an OWASP project.

* I like the idea of certification but I don't think we are ready at
this point. Also, this is an effort that needs to be handled
professionally by full-time staff. 

* As I said before, I think whoever wants to be called a member needs
to pay for it. Perhaps we could waive the fees for certain individuals
after the first year. Also, the last time I looked the entry level 
fees for organisations were too high for very small business (e.g.
independent security consultants).


On Nov 1, 2007 12:34 AM, Dinis Cruz < dinis at ddplus.net
<mailto:dinis at ddplus.net> > wrote: 
> Taking Adam's question head on (Adam's original email is included at the
> end),
>
> OWASP Leaders, please answer these questions:
>
> As it grows: what do you want OWASP to become? 
>
> A certifying and CBK type pseudo-company like (ISC)2?
> An open source project organized along the lines of Debian, Apache, or a
> similar group that owns a set of projects?
> Does OWASP want to certify apps, testers, both or none? (I've seen all POV

> advocated)
> Who will be required to pay what kind of dues, if any?
> How formal of an organization will OWASP become?
> Is the status quo preferable to the proposed change?
> Other?For the newer members of this list, here are some pages from our 
> www.owasp.org <http://www.owasp.org/>  website which you might find
interesting:
>
> https://www.owasp.org/index.php/About_OWASP
>  https://www.owasp.org/index.php/How_OWASP_Works
<https://www.owasp.org/index.php/How_OWASP_Works> 
>
https://www.owasp.org/index.php?title=How_OWASP_Works
<https://www.owasp.org/index.php?title=How_OWASP_Works&diff=22690&oldid=1568
9> &diff=22690&oldid=15689 
> (this is a previous version of the 'How OWASP Works' page which contains
> some ideas about the future)
> https://www.owasp.org/index.php/OWASP_brand_usage_rules
> https://www.owasp.org/index.php/Chapter_Rules 
> https://www.owasp.org/index.php/Chapter_Leader_Handbook
> https://www.owasp.org/index.php/Category:Chapter_Resources
<https://www.owasp.org/index.php/Category:Chapter_Resources> 
> http://www.owasp.org/index.php/Tutorial#Editing_OWASP
<http://www.owasp.org/index.php/Tutorial#Editing_OWASP> And finally, if you
> haven't seen this amazing page created by Sebastien a while back with 
> descirptions and links to past OWASP presentations, you must check it out
> now: http://www.owasp.org/index.php/OWASP_Education_Presentation
<http://www.owasp.org/index.php/OWASP_Education_Presentation> 
>
> Back to the topic at hand. Now is the time to present and defend your
ideas
> and vision for OWASP (if you not are comfortable in sending them to the 
> list, send them to me directly on dinis.cruz at owasp.net)
>
> Thanks Adam for kickstarting this conversation :) 
>
> Dinis Cruz
>
>
> On 10/31/07, Adam Muntner < adam.muntner at quietmove.com
<mailto:adam.muntner at quietmove.com> > wrote:
> > There is a lot of conversation about how to best organize OWASP -
> > interesting discussion but if we take that approach we may end up with
> >  an OWASP that doesn't meet anyone's needs goal-wise, just 
> > structure-wise. Which doesn't mean much.
> >
> > It sounds like more fundamantally theres a debate going on about the
> > direction of OWASP -as it grows, what's it to become? 
> >
> > - A certifying and CBK type pseudo-company like (ISC)2?
> > - An open source project organized along the lines of Debian, Apache, or
> > a similar group that owns a set of projects? 
> > - Does OWASP want to certify apps, testers, both or none? (I've seen all
> > POV advocated)
> > - Who will be required to pay what kind of dues, if any?
> > - How formal of an organization will OWASP become? 
> > - Is the status quo preferable to the proposed change?
> >
> > These are some of the more basic questions I've seen bubble to
> > the surface... IMO better to address these big questions and then 
> > figure out how the structure could best support it... rather than end up
> > with a bunch of rules and regs that don't fit anyone in particular.
> >
> > Just my .02!
> > 
> >
> >
> >
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org 
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
<https://lists.owasp.org/mailman/listinfo/owasp-leaders> 
>
>



--
Ivan Ristic
_______________________________________________ 
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders 

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org 
https://lists.owasp.org/mailman/listinfo/owasp-leaders




-- 
Ferruh Mavituna
http://ferruh.mavituna.com <http://ferruh.mavituna.com/>  


_______________________________________________ 
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders




-- 
Eoin Keary OWASP - Ireland
http://www.owasp.org/local/ireland.html 
http://www.owasp.org/index.php/OWASP_Testing_Project
http://www.owasp.org/index.php/OWASP_Code_Review_Project 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-cincinnati/attachments/20071115/46f8b88c/attachment-0001.html 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ATT00019.txt
Url: https://lists.owasp.org/pipermail/owasp-cincinnati/attachments/20071115/46f8b88c/attachment-0001.txt 


More information about the Owasp-cincinnati mailing list