[Owasp-leaders] Other Ideas for Projects

David Campbell dcampbell at owasp.org
Thu Sep 24 21:35:59 EDT 2009


These guys hit on similar points in step 2

http://chargen.matasano.com/chargen/2009/9/24/indie-software-security-a-12-step-program.html

Dc

On Sep 23, 2009, at 11:12, "Jeff Williams" <jeff.williams at owasp.org>  
wrote:

> The vulnerability disclosure idea is a good project that could fall  
> under the OWASP Legal Project. I think we should try to give them  
> everything they need to run a good application security response  
> center.  I’m thinking…
>
>
>
> Application Security Response Program
>
> 1)      Text for website that encourages responsible disclosure and  
> protects researchers from lawsuit
>
> 2)      A runbook for actually handling reported vulnerabilities  
> (template emails, etc…)
>
> 3)      Guidance on metrics coming out of the program
>
> 4)      Guidance on performing rescues on operational applications
>
> 5)      … what else?
>
>
>
> --Jeff
>
>
>
> PS – Breakfast Serialz?  Seriously? Gimme a bowl of Hackios?  Leet F 
> lakes?  Golden Graham Crackers?  And Tom Brennan’s fav -- two scoopz 
>  of Kellog’s Raisin Hell?
>
>
>
>
>
> From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders- 
> bounces at lists.owasp.org] On Behalf Of McGovern, James F (HTSC, IT)
> Sent: Wednesday, September 23, 2009 9:38 AM
> To: owasp-leaders at lists.owasp.org
> Subject: [Owasp-leaders] Other Ideas for Projects
>
>
>
> Hopefully one can propose an idea without having to necessarily lead  
> it :-)
>
> OWASP End User Education Project: I was hanging out with our lawyers  
> last week (before watching the wonderful membership video) and we  
> got into a fascinating conversation regarding professional  
> education. Independent insurance agents, accountants, lawyers, etc  
> are all required to take continuing education credits whereby they  
> are encouraged to watch videos, attend seminars, etc. So, with this  
> thought in mind, why can;'t all of us chapter leaders agree to one  
> fixed day next year where we all present on web application security  
> from the perspective of an end-user? Likewise, could a few of us  
> sketch out a skit that we could do for non-security types to watch  
> and videotape while in DC to load up on YouTube.
> OWASP Vulnerability Disclosure Project: We know that websites have  
> privacy policies, but what about vulnerability disclosure policies?  
> Lets say that I am CISO for a major bank and an OWASP member happens  
> to notice that the site is subject to cross-site. Should they tell  
> me? How should I react? How do you think most CISOs would react? The  
> problem is that vulnerability right now is only thought of in terms  
> of software vendors (think Microsoft, Oracle, CA, etc) and  
> consumerish websites (think MySpace, Facebook, etc), we need to  
> figure out some simple text that folks could incorporate into their  
> website
> OWASP Branding Project: I mentioned that I am working with a local  
> soda company to create a flavor of soda unique to our chapter  
> (Avery's Soda) and wondered whether this type of branding and logo  
> usage could serve OWASP in other ways. Yes, we could panic and start  
> worrying about food poisoning but I think our endorsement avoidance  
> is around tech companies and not other domains. For example,  
> wouldn't it be cool if we could have our own brand of cereal (I got  
> some pings out)
>
>
> ************************************************************
> This communication, including attachments, is for the exclusive use  
> of addressee and may contain proprietary, confidential and/or  
> privileged information.  If you are not the intended recipient, any  
> use, copying, disclosure, dissemination or distribution is strictly  
> prohibited.  If you are not the intended recipient, please notify  
> the sender immediately by return e-mail, delete this communication  
> and destroy all copies.
> ************************************************************
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090924/71add082/attachment.html 


More information about the OWASP-Leaders mailing list