[owasp-intrinsic-security] [Owasp-leaders] Should OWASP partner with Concordia

kuai hinojosa kuai.hinojosa at owasp.org
Thu Oct 23 14:59:07 EDT 2008


Good point. Sending this to the ISWG so we take this into consideration.
On Oct 23, 2008, at 2:22 PM, McGovern, James F (HTSC, IT) wrote:

> Can we get a volunteer to ask this same question in Portugal?
>
> Thanks Gunnar for amplifying, but I would like to add in one more  
> point.
> OWASP will be working with browser vendors. In context of Microsoft,  
> the
> identity selector is known as Cardspace. Firefox also has equivalent
> functionality. If we are going to work to secure the browser, then we
> also must look at identity selectors as well.
>
> -----Original Message-----
> From: Gunnar Peterson [mailto:gunnar at arctecgroup.net]
> Sent: Thursday, October 23, 2008 10:56 AM
> To: McGovern, James F (HTSC, IT)
> Cc: owasp-leaders at lists.owasp.org
> Subject: Re: [Owasp-leaders] Should OWASP partner with Concordia
>
> when I asked people at owasp in 2005 who had heard about saml and
> liberty, two or three hands in a room of 125 went up.
>
> When I speak at identity conferences and ask who knows about owasp  
> it is
> the same percentage.
>
> James raises good points but there is another issue as well. Owasp is
> about improving access control on the web and all access control is
> dependent on identity
>
> -Gunnar
>
> -----Original Message-----
> From: "McGovern, James F (HTSC, IT)" <James.McGovern at thehartford.com>
> Date: Thursday, Oct 23, 2008 11:41 am
> Subject: Re: [Owasp-leaders] Should OWASP partner with Concordia
>
> Now for a healthy dose of political incorrectness. If OWASPers were to
> noodle identity, they would realize that is could not only help make
> security visible but increase our influence. This two spaces are  
> thought
> about differently yet are very compatible. Besides, the identity
> challenge is something that is understood by non-developers  
> (enterprisey
> architects that work in large enterprises that have a deer as their  
> logo
> come to mind) where the top ten is somewhat more mysterious.
>
> Selfishly, it would also bring in more potential sponsors and the  
> OWASP
> conferences would have more than just static analysis, blackbox and
> consulting.
>
> -----Original Message-----
> From: Andrew van der Stock [mailto:vanderaj at owasp.org]
> Sent: Wednesday, October 22, 2008 11:42 PM
> To: Gunnar Peterson
> Cc: McGovern, James F (HTSC, IT); owasp-leaders at lists.owasp.org
> Subject: Re: [Owasp-leaders] Should OWASP partner with Concordia
>
> It's the #1 control in the Coding Standard draft I'm working on.
>
> thanks,
> Andrew
>
> On Oct 22, 2008, at 11:06 PM, Gunnar Peterson wrote:
>
>>> 2. Why aren't concerns around identity ever mentioned in the top ten
>> such that we propose solutions such as CardSpace, OpenID, XACML, etc
>> as potential solutions? OWASP needs an IDENTITY PROJECT.
>>
>
>> This has always bugged me. FWIW, Weak identity is listed in the OWASP
> Top Ten for Web Services. In fact, I think the username/password combo
>
>> in web applications is the single biggest security hole
>
>> -Gunnar
>
>> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> thanks,
> Andrew van der Stock
> Lead Author, OWASP Guide and OWASP Top 10
>
>
>
>
> ************************************************************
> This communication, including attachments, is for the exclusive use of
> addressee and may contain proprietary, confidential and/or privileged
> information.  If you are not the intended recipient, any use, copying,
> disclosure, dissemination or distribution is strictly prohibited.  If
> you are not the intended recipient, please notify the sender  
> immediately
> by return e-mail, delete this communication and destroy all copies.
> ************************************************************
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> ************************************************************
> This communication, including attachments, is for the exclusive use  
> of addressee and may contain proprietary, confidential and/or  
> privileged information.  If you are not the intended recipient, any  
> use, copying, disclosure, dissemination or distribution is strictly  
> prohibited.  If you are not the intended recipient, please notify  
> the sender immediately by return e-mail, delete this communication  
> and destroy all copies.
> ************************************************************
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-intrinsic-security/attachments/20081023/312d427f/attachment.html 


More information about the owasp-intrinsic-security mailing list