[Owasp-leaders] OWASP Home Page Project

Matt Tesauro mtesauro at gmail.com
Wed Sep 23 12:09:28 EDT 2009

Agreed that this is a big and important thing for OWASP.

One of the reason's the GPC is working on standardizing information on
projects is so that projects can be sorted into their correct buckets
easily.  That is one of the major reasonings behind the Assessment
Criteria v2 (collect the info we need consistently) and the project
information tabs/templates (have a central collection/storage point for
this info).

The ultimate goal is to make sure this scales (e.g. is automated as much
as possible) so that it doesn't become a maintenance nightmare.  We've
pushed the Wiki software pretty hard (and its taken longer then we'd
have liked) but we're definitely making progress.  The GPC efforts
should help this discussion become reality.

-- Matt Tesauro
OWASP Live CD Project Lead
http://AppSecLive.org - Community and Download site

On Wed, 2009-09-23 at 10:05 +0100, Eoin wrote:
> last November in Portugal we talked about tailoring the site to
> audience on the OWASP home page.
> A technical link and also a user link, both taking a user to a menu of
> appropriate information.
> 2009/9/23 Tom Brennan - OWASP <tomb at owasp.org>
>         yea http://www.aspectsecurity.com looks really good thumbs up
>         to the guy who did it.... want to volunteer some time to
>         owasp ;)
>         OWASP needs a pretty website too + the wiki behind it so that
>         we can continue our collaboration effort. James McGovern and
>         others have been noodling this.. and I hope that the OWASP
>         Mini-Summit happening at the OWASP USA 2009 event on November
>         11th http://www.owasp.org/index.php/OWASP_AppSec_DC_2009 will
>         allow for this very topic to be flushed out from the
>         collaboration from the membership and if someone wants a
>         project this is one of the big ones to lend cycles to. 
>         On Tue, Sep 22, 2009 at 7:54 PM, Mike Boberski
>         <mike.boberski at cox.net> wrote:
>                 I'm surprised no one jumped in on this thread; each is
>                 an item in my mind worth exploring; application
>                 security is incredibly hard to sell people on, such
>                 weak/non-existent mandates in this space. The
>                 Agile-like idea for example seems to pop up
>                 frequently, I think there is something to it. There is
>                 little arguing how the universe latched onto such a
>                 superficially silly thing with religious-like zeal; I
>                 have one customer right now for example where a
>                 development team is hiding behind the Agile Scrum
>                 process to the point of defying their management's
>                 (and their management's management's, and their
>                 management's management's management's) direct
>                 instruction to start addressing security concerns. 
>                 Some initial thoughts on each of the items:
>                 I think the site could benefit for some high-level
>                 buckets near the top, similar to the recent Aspect
>                 Security web site update. Perhaps
>                 protect/detect/lifecycle as on the projects page.
>                 Member companies should go to the top, to the side,
>                 for the reasons cited below. I turned many people
>                 during ASVS' development into ASVS reviewers once they
>                 scrolled to the bottom.
>                 There is merit to the manifesto thing as mentioned
>                 above, the visible thing is a starting point but isn't
>                 all that it could be; here's a starting point for
>                 discussion: (1)A Web application may not disclose or
>                 modify user data without a data owner's permission or,
>                 through inaction, allow unauthorized disclosure or
>                 modification of user data. (2)A Web application must
>                 obey any inputs given to it by users or external
>                 systems, except where such orders would conflict with
>                 the First Law. (3)A Web application must protect its
>                 own existence as long as such protection does not
>                 conflict with the First or Second Law.
>                 I'm not sure the media thing is actionable, other than
>                 adding a link to an OWASP POC to respond to media
>                 inquiries.
>                 Mike
>                 On Mon, Sep 21, 2009 at 3:16 PM, McGovern, James F
>                 (HTSC, IT) <James.McGovern at thehartford.com> wrote:
>                         Figured I would share some marketing oriented
>                         thoughts regarding OWASP with a focus on our
>                         web presence. If you feel I am full of it,
>                         then reply back :-)
>                               * The OWASP website is not relatable.
>                                 Who is the intended audience? Should
>                                 we guide folks based on the roles they
>                                 play?
>                               * There is nothing to speak to the
>                                 legitimacy of OWASP ..... until you
>                                 scroll down to the bottom and see the
>                                 corporate endorsements. Those should
>                                 be higher up on the screen. For those
>                                 who will debate legitimacy, we have to
>                                 acknowledge that the masses within IT
>                                 get giddy when they see famiilar
>                                 logos. Think folks who love Gartner
>                                 Magic Quadrants.
>                               * Also on the home page there is nothing
>                                 about what (specific) problem(s) OWASP
>                                 addresses and fixes. Somewhat sporadic
>                                 information. We need something more
>                                 than making web application security
>                                 visible.
>                               * Are there any quotes from
>                                 people/organizations that were helped
>                                 by OWASP involvement? Testimonials
>                                 would attract more attention. Have
>                                 folks seen the Agile Manifesto and the
>                                 signatories page? We should do
>                                 something similar.
>                               * Media coverage generally depends on a
>                                 "face" to work their story. There are
>                                 likely several angles you can utilize
>                                 such as the "nimbleness" of a
>                                 community vs. a corporation in solving
>                                 a problem. How about a feature
>                                 covering who are some of its
>                                 participants. Sort of a personal
>                                 profile.
>                         ************************************************************
>                         This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
>                         ************************************************************
>                         _______________________________________________
>                         OWASP-Leaders mailing list
>                         OWASP-Leaders at lists.owasp.org
>                         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>                 _______________________________________________
>                 OWASP-Leaders mailing list
>                 OWASP-Leaders at lists.owasp.org
>                 https://lists.owasp.org/mailman/listinfo/owasp-leaders
>         -- 
>         Tom Brennan
>         973.506.9303
>         http://www.linkedin.com/in/tombrennan
>         _______________________________________________
>         OWASP-Leaders mailing list
>         OWASP-Leaders at lists.owasp.org
>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
> -- 
> Eoin Keary CISSP CISA
> https://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference
> OWASP Code Review Guide Lead Author
> OWASP Ireland Chapter Lead
> OWASP Global Committee Member (Industry)
> http://asg.ie/
> https://twitter.com/EoinKeary
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list