[Owasp-leaders] Would the real OWASP please stand up!

Yiannis Pavlosoglou yiannis at owasp.org
Thu Sep 17 11:40:32 EDT 2009


So I am sitting there coding away.. A little fuzzer, no more no less,
16 versions later, pet project, adding some new .NET payloads, new
encodings, etc.

In the process I am wondering what happened to OWASP, how come and no
one finding vulnerabilities in web applications, respects this
organization anymore?

* You turn up to any other security meeting, you don't even mention
the acronym without getting looked badly upon
* People actually tell me that they avoid going to particular chapter
meetings, because they are sick and tired of presenters implicitly
trying to sell their own company/service/tool
* Project leaders are thinking of pulling their projects from OWASP,
because they are not into filling pamphlets, presentation slides and
assessment criteria; simply they've got a new cool hack for, say, .NET
input validation, embedded in a python script, document it and it just
works! Did you ever see a pamphlet for apache 1.3.27?
* Chapter leaders do not want to go their own folks and ask for
donations; people that they have been together with from the beginning
of their security careers

And then just as I am about to give up on committees and boards and
members and leaders, I wiz through the testing guide v_22, page 888
and I see a true gem; I download the latest version of orizon and
notice that workaround that would have saved me in the last web
application assessment.

Is it too much to ask for, cutting through all of this and focusing on
that magic phrase, web application security?

You want a marketing department? Go hire one! The time that it takes
me to add double encoding payloads for sharepoint into JBroFuzz is the
time wasted on self assessment criteria. Project leader's ego aside,
which one is better?

And whatever happened to being humble and modest if you are good at
what you do, especially in information security.. Blow your own
trumpet, if you've got something to say, not stale news please.

Yes, continue to evolve and expand OWASP, do make us all proud, but
setup some ground rules to address and harvest knowledge coming in
from the ground. More importantly, get rid of all these silly silly
red tape equivalents. Do not establish anything new (e.g. committees)
without rules on how somebody will loose their status.

And then comes the ultimate excuse, "it was out there for all to
comment while we were setting up X". But how can I even comment, when
your definition of X is ill-defined? When you didn't listen on the
problems that its predecessor Y created. If you look at the
power/responsibility ratio in other open source communities (say the
linux kernel) mistakes are guaranteed not to be repeated again. Still
in OWASP, JBroFuzz, still filling in forms, still not release quality.
Paulo is promising that this will be the last time. What was another
true gem that came my way, along the lines of, "we simply don't know
what version your tool is, you need to tell us". Sincerely, if the
about box is not enough? Go google it!

It seems to me a couple of years down the line, it was the tip of the
iceberg trying to get a simple, silly fuzzer to release quality level;
in understanding the real OWASP and seeing how many others, globally,
from founder equivalent level to the non-member level feel partially
similar. Any chance of a change?


Here are a few suggested (perhaps aggressive) paths:

* Get the board (someone has to take the heat) to go through the tools
one fine Saturday and decide on the release quality of each one. I'll
buy the pizzas guys! Repeat after 3 months, assign Paulo to speak
their voice
* Get chapter leaders to (mandatory) go through the presentation of
any speaker and make them take out corprorate piches (even hints)
* Like the HSBC adds that I see in terminal around the world, respect
local custom and traditions in asking chapter leaders to establish a
unified policy (especially on money matters)
* Kick the folks that don't do the work, out! Give them a second
chance, etc. But measure on results.

a tiny bit fed up Yiannis


More information about the OWASP-Leaders mailing list