[Owasp-leaders] OWASP Home Page Project

fabio.e.cerullo at aib.ie fabio.e.cerullo at aib.ie
Wed Sep 23 09:12:12 EDT 2009

ok guys... before going in circles around this I would like to say the 

- this project was indeed discussed during the OWASP Summit @ Portugal and 
I was part of a team composed by Jason & Dave to progress this...
- the main idea was to have a friendly 'end user' website similar to 
Aspect website, and the wiki was supposed to be the backend where owasp 
leaders could discuss the different projects.
- an action plan was agreed back then but never was implemented due to 
'bureocratic' reasons... being the main one: "the wiki just works..."
- as a result some changes were made (eg. tabs, "search" function, etc) in 
the current wiki and some others were not progressed.

for those who are willing to refresh the "look & feel" of OWASP Website I 
would strongly recommend you to contact Larry Casey.

he has done a great amount of work with the wiki and if a team is build up 
again he should definitely be part of that team.

unfortunately due to time/work constraints I will not be able to add those 
'cycles' at the moment.

ps: I could share with those interested the suggested changes to the wiki 
made by Jason, Dave and me.


Erlend Oftedal <Erlend.Oftedal at BEKK.no>
Sent by: owasp-leaders-bounces at lists.owasp.org
23/09/2009 12:46
Please respond to owasp-leaders
        To:     "owasp-leaders at lists.owasp.org" 
<owasp-leaders at lists.owasp.org>
        Subject:        Re: [Owasp-leaders] OWASP Home Page Project

I really like this project, and I think it’s of big importance to the 
future of OWASP.
A couple of things:
1.       Design – We should have a design that looks good, but at the same 
time keeps traditional values related to security. These values need to be 
clear to whoever is doing the design. We can either hire a designer or 
crowd-source it as a competition (winner gets a free OWASP membership).
2.      The wiki itself – Are there better alternatives out there? I’ve 
been using atlassin confluence for quite some time, and it feels a lot 
better than the version of mediawiki we are currently using. Also I’ve 
heard it’s easy to style to a new design. I guess Confluence is not free, 
but maybe we can get an “free for open source” license from them or 
something. Then again maybe there are newer versions of mediawiki have 
more functionality?
Fra: owasp-leaders-bounces at lists.owasp.org 
[mailto:owasp-leaders-bounces at lists.owasp.org] På vegne av Leonardo 
Cavallari Militelli
Sendt: 23. september 2009 13:32
Til: owasp-leaders at lists.owasp.org
Emne: Re: [Owasp-leaders] OWASP Home Page Project
Actually, it was not just discussed, but the OWASP Website Project was 
created during the Summit, however I can't even found its page.

Dave/Jason, do you guys have something to add up about this, since you 
were the one's who mentioned about it in the past?


On Wed, Sep 23, 2009 at 6:05 AM, Eoin <eoin.keary at owasp.org> wrote:
last November in Portugal we talked about tailoring the site to audience 
on the OWASP home page.
A technical link and also a user link, both taking a user to a menu of 
appropriate information.

2009/9/23 Tom Brennan - OWASP <tomb at owasp.org>
yea http://www.aspectsecurity.com looks really good thumbs up to the guy 
who did it.... want to volunteer some time to owasp ;)

OWASP needs a pretty website too + the wiki behind it so that we can 
continue our collaboration effort. James McGovern and others have been 
noodling this.. and I hope that the OWASP Mini-Summit happening at the 
OWASP USA 2009 event on November 11th 
http://www.owasp.org/index.php/OWASP_AppSec_DC_2009 will allow for this 
very topic to be flushed out from the collaboration from the membership 
and if someone wants a project this is one of the big ones to lend cycles 

On Tue, Sep 22, 2009 at 7:54 PM, Mike Boberski <mike.boberski at cox.net> 
I'm surprised no one jumped in on this thread; each is an item in my mind 
worth exploring; application security is incredibly hard to sell people 
on, such weak/non-existent mandates in this space. The Agile-like idea for 
example seems to pop up frequently, I think there is something to it. 
There is little arguing how the universe latched onto such a superficially 
silly thing with religious-like zeal; I have one customer right now for 
example where a development team is hiding behind the Agile Scrum process 
to the point of defying their management's (and their management's 
management's, and their management's management's management's) direct 
instruction to start addressing security concerns. 

Some initial thoughts on each of the items:

I think the site could benefit for some high-level buckets near the top, 
similar to the recent Aspect Security web site update. Perhaps 
protect/detect/lifecycle as on the projects page.

Member companies should go to the top, to the side, for the reasons cited 
below. I turned many people during ASVS' development into ASVS reviewers 
once they scrolled to the bottom.

There is merit to the manifesto thing as mentioned above, the visible 
thing is a starting point but isn't all that it could be; here's a 
starting point for discussion: (1)A Web application may not disclose or 
modify user data without a data owner's permission or, through inaction, 
allow unauthorized disclosure or modification of user data. (2)A Web 
application must obey any inputs given to it by users or external systems, 
except where such orders would conflict with the First Law. (3)A Web 
application must protect its own existence as long as such protection does 
not conflict with the First or Second Law.

I'm not sure the media thing is actionable, other than adding a link to an 
OWASP POC to respond to media inquiries.


On Mon, Sep 21, 2009 at 3:16 PM, McGovern, James F (HTSC, IT) <
James.McGovern at thehartford.com> wrote:
Figured I would share some marketing oriented thoughts regarding OWASP 
with a focus on our web presence. If you feel I am full of it, then reply 
back :-)
The OWASP website is not relatable. Who is the intended audience? Should 
we guide folks based on the roles they play?
There is nothing to speak to the legitimacy of OWASP ..... until you 
scroll down to the bottom and see the corporate endorsements. Those should 
be higher up on the screen. For those who will debate legitimacy, we have 
to acknowledge that the masses within IT get giddy when they see famiilar 
logos. Think folks who love Gartner Magic Quadrants.
Also on the home page there is nothing about what (specific) problem(s) 
OWASP addresses and fixes. Somewhat sporadic information. We need 
something more than making web application security visible.
Are there any quotes from people/organizations that were helped by OWASP 
involvement? Testimonials would attract more attention. Have folks seen 
the Agile Manifesto and the signatories page? We should do something 
Media coverage generally depends on a "face" to work their story. There 
are likely several angles you can utilize such as the "nimbleness" of a 
community vs. a corporation in solving a problem. How about a feature 
covering who are some of its participants. Sort of a personal profile.
This communication, including attachments, is for the exclusive use of 
addressee and may contain proprietary, confidential and/or privileged 
information.  If you are not the intended recipient, any use, copying, 
disclosure, dissemination or distribution is strictly prohibited.  If you 
are not the intended recipient, please notify the sender immediately by 
return e-mail, delete this communication and destroy all copies.
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

Tom Brennan


OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org


OWASP Code Review Guide Lead Author
OWASP Ireland Chapter Lead
OWASP Global Committee Member (Industry)


OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

This document is strictly confidential and is intended for use by the addressee unless otherwise indicated.

This email has been scanned by an external email security system.

Allied Irish Banks

AIB and AIB Group are registered business names of Allied Irish Banks p.l.c. Allied Irish Banks, p.l.c. is regulated by the Financial Regulator.  Registered Office: Bankcentre, Ballsbridge, Dublin 4. Tel: + 353 1 6600311; Registered in Ireland: Registered No. 24173

Please consider the environment before printing this e-mail. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090923/e8d399bb/attachment-0001.html 

More information about the OWASP-Leaders mailing list