[Owasp-leaders] Would the real OWASP please stand up!

David Campbell dcampbell at owasp.org
Wed Sep 23 13:01:45 EDT 2009


Well said.

I can personally attest to the fact that among some security circles,
OWASP is becoming a dirty word.  Perhaps not as maligned as CISSP, but
definitely headed that way.

I think part of this isn't the fault of OWASP, but perhaps a prejudice
by researchers who do "real security" (i.e. shellcode, kernel exploits,
etc.) that think that webappsec is a lesser path.

But if this bias is rearing up even amongst webappsec people, then
clearly we need to shape up in certain areas.

I like your suggestions Yiannis, and though we haven't had a problem
with corporate pitches (yet) in our chapter, we will institute this
practice going forward:

* Get chapter leaders to (mandatory) go through the presentation of
any speaker and make them take out corprorate piches (even hints)


Thanks for your candor.

DC



Yiannis Pavlosoglou wrote:
> So I am sitting there coding away.. A little fuzzer, no more no less,
> 16 versions later, pet project, adding some new .NET payloads, new
> encodings, etc.
>
> In the process I am wondering what happened to OWASP, how come and no
> one finding vulnerabilities in web applications, respects this
> organization anymore?
>
> * You turn up to any other security meeting, you don't even mention
> the acronym without getting looked badly upon
> * People actually tell me that they avoid going to particular chapter
> meetings, because they are sick and tired of presenters implicitly
> trying to sell their own company/service/tool
> * Project leaders are thinking of pulling their projects from OWASP,
> because they are not into filling pamphlets, presentation slides and
> assessment criteria; simply they've got a new cool hack for, say, .NET
> input validation, embedded in a python script, document it and it just
> works! Did you ever see a pamphlet for apache 1.3.27?
> * Chapter leaders do not want to go their own folks and ask for
> donations; people that they have been together with from the beginning
> of their security careers
>
> And then just as I am about to give up on committees and boards and
> members and leaders, I wiz through the testing guide v_22, page 888
> and I see a true gem; I download the latest version of orizon and
> notice that workaround that would have saved me in the last web
> application assessment.
>
> Is it too much to ask for, cutting through all of this and focusing on
> that magic phrase, web application security?
>
> You want a marketing department? Go hire one! The time that it takes
> me to add double encoding payloads for sharepoint into JBroFuzz is the
> time wasted on self assessment criteria. Project leader's ego aside,
> which one is better?
>
> And whatever happened to being humble and modest if you are good at
> what you do, especially in information security.. Blow your own
> trumpet, if you've got something to say, not stale news please.
>
> Yes, continue to evolve and expand OWASP, do make us all proud, but
> setup some ground rules to address and harvest knowledge coming in
> from the ground. More importantly, get rid of all these silly silly
> red tape equivalents. Do not establish anything new (e.g. committees)
> without rules on how somebody will loose their status.
>
> And then comes the ultimate excuse, "it was out there for all to
> comment while we were setting up X". But how can I even comment, when
> your definition of X is ill-defined? When you didn't listen on the
> problems that its predecessor Y created. If you look at the
> power/responsibility ratio in other open source communities (say the
> linux kernel) mistakes are guaranteed not to be repeated again. Still
> in OWASP, JBroFuzz, still filling in forms, still not release quality.
> Paulo is promising that this will be the last time. What was another
> true gem that came my way, along the lines of, "we simply don't know
> what version your tool is, you need to tell us". Sincerely, if the
> about box is not enough? Go google it!
>
> It seems to me a couple of years down the line, it was the tip of the
> iceberg trying to get a simple, silly fuzzer to release quality level;
> in understanding the real OWASP and seeing how many others, globally,
> from founder equivalent level to the non-member level feel partially
> similar. Any chance of a change?
>
>
> Here are a few suggested (perhaps aggressive) paths:
>
> * Get the board (someone has to take the heat) to go through the tools
> one fine Saturday and decide on the release quality of each one. I'll
> buy the pizzas guys! Repeat after 3 months, assign Paulo to speak
> their voice
> * Get chapter leaders to (mandatory) go through the presentation of
> any speaker and make them take out corprorate piches (even hints)
> * Like the HSBC adds that I see in terminal around the world, respect
> local custom and traditions in asking chapter leaders to establish a
> unified policy (especially on money matters)
> * Kick the folks that don't do the work, out! Give them a second
> chance, etc. But measure on results.
>
> a tiny bit fed up Yiannis
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>   



More information about the OWASP-Leaders mailing list