[OWASP-LEADERS] Re-introductions and a few things......
mark at curphey.com
Wed Jan 15 00:01:31 EST 2003
Mark Curphey here. http://www.curphey.com if you want to see the mug
shots! I am not the small guy who smiles a lot btw.
Got into infosec though a Math degree and fascination with cryptography,
and then went on to read a Masters in Info Sec (primarily cryptography)
at http://isg.rhul.ac.uk. I am a classic architect, not half as
technical as most of the talented people here although I can write some
bad Java and C# here and there. I worked for various Investment banks in
London and Europe before joining ISS in Atlanta back when it was a 200
people company and fun to work at. I stayed for 18 months but it changed
a lot. I am def not an ISS fan today. I moved to be a Director of App
Sec at a large financial in the bay area where I have been for 2 years.
A little known story but one thats true is I started OWASP when a
Portuguese guy (Banco I think his name is, he is in the archives) mailed
the webappsec list saying "go on then" after I put the idea out there.
I am passionate about what we have all created and making sure it
doesn't get exploited commercially by anyone (including me!). Theres
benefiting which I think is fine and then theres exploitation. I have
fallen out with several people over this (a few of which have taken it
very personally) and will do it again in heart beat. Theres no room for
politics and crap here. One of the reasons I will be mailing you all to
get a proper legally binding charter set up soon and then a foundation
that will enforce that legally. I want everyone to feel 100% comfortable
with committing their time and efforts.
I am actually off to join a company called Watchfire.com in Boston
heading up a business unit building security assessment tools soon. I am
all too aware of the bad feeling that has arisen from several open
source projects that go commercial and I want to re-assure everyone that
there is NO (read zero) chance of that. I would be really pissed if I
worked on one of those projects and saw someone go off and make millions
by using what a team of people built for free. Just not the spirit o
things. One of the reasons I am so strong on the copyright to the FSF is
to avoid that and one reason why I will get a proper foundation setup. I
have had several offers to do other things that had implications to
OWASP and I turned them all down. This job actually will let me spend
one day a week on OWASP work and we will likely financially sponsor some
projects to get some much needed things done (discussion forums,
document management etc). We will also be supporting VulnXML in a big
way if I have my way. Its a good thing for OWASP which is one reason I
What do I want to see us do over time? I want to see a kick ass portal
for now ;-) Gradually over time I want to see us seen by any on lookers
as having done something which is truly altruistic, of a quality
everyone we can all be proud of and having seriously made a difference
to the security of the Internet. And most of all I want to continue
having fun. I really enjoy OWASP.
Along the way I have met some great people whom I really want to share a
beer with. You know who you are. You're getting this email !
On Tue, 2003-01-14 at 20:22, moksha faced wrote:
> Hi Folks,
> Apologies for the earlier levity (if apologies are
> warranted or if any one was offended). I've been in
> the security field since 82 when I worked on private
> key crypto and tactical HF/SAT telecomm systems in the
> Army. Although my major in college was Physics I keep
> gravitating back into CompSci stuff and am currently
> pursuing my masters at vt.edu in CompSci.
> Most of my experience is in InfoSec and development in
> whatever the sexy language of the day is for primarily
> financial institutions. I had a five-year stint
> recently doing pen-testing, ethical whathaveyou, web
> development - but grew tired of the travel and being
> away from my wife and two wonderful kids - hung my
> guns up and now work for a big bank (yep, back in
> Corporate America).
> I got involved in OWASP as a Linux/OSF/GPL biggot when
> I posted an email to dizzie about creating a tool like
> the Sleuth in Java that would run on anything. OWASP
> was just forming then and a handful of us started
> strategizing about the Webscarab. In keeping with GPL
> and OOP we decided to reuse as much code as possible
> but it hasn't gone extremely well and I'm the sole
> developer for it now. I have a long list of bugs to
> work out, tons of enhancements and features everyone
> wants and very little time to actually spend on it
> without dropping a few flaming torches I try to
> My real reason for volunteering my *spare time* to
> OWASP and OSF is that COTS stuff simply stinks most of
> the time and I love writing tools for specific needs
> that COTS stuff just doesn't solve. You see guys all
> the time starting up an Open Source Foundation type
> product only to have them bought out by folks who've
> run out of ideas and still dare to call themselves
> 'visionaries'. It's a tough fight, but one that I
> humbly submit is worth the effort, whatever effort you
> can afford to spend. All we have are these streaming
> moments and I choose to try to spend my wisely.
> AND, I really will get openproxy out soon, I PROMISE.
> Once we/I've done the VulnXML and integrated what we
> have so far... it'll be a nice little testing utility.
> Warm regards,
> -Steve Taylor ( stealth... BAH! )
> --- Mark Curphey <mark at curphey.com> wrote:
> > Hi Guys
> > I spent some time on the phone today with a few of
> > you and I think there are generally a few things I
> > (we) can probably do a little better.
> > Alex and I are going to take a first stab at a
> > strawman of a few guidelines that will make all of
> > our lives easier, which we will circulate for
> > discussion in a week or so.
> > In the meantime I wonder if everyone on this list
> > can re-introduce themselves. There are some new
> > people on the list, others don't know each other as
> > well as I know you all and quite frankly I haven't
> > done a good job of introducing people. Perhaps a
> > paragraph about your background, what you do for a
> > living and some details of the OWASP projects you
> > are working on or have worked on. Maybe some words
> > about your ideas of what we could do better as well
> > might be good for discussion.
> > I will send mine when I get back home later today.
> > Thanks
> > Mark
> > This SF.NET email is sponsored by: Take your first
> > step towards giving
> > your online business a competitive advantage.
> > Test-drive a Thawte SSL
> > certificate - our easy online guide will show you
> > how. Click here to get
> > started:
> > _______________________________________________
> > Owasp-leaders mailing list
> > Owasp-leaders at lists.sourceforge.net
> This SF.NET email is sponsored by: Take your first step towards giving
> your online business a competitive advantage. Test-drive a Thawte SSL
> certificate - our easy online guide will show you how. Click here to get
> started: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0027en
> Owasp-leaders mailing list
> Owasp-leaders at lists.sourceforge.net
More information about the OWASP-Leaders