[Owasp-leaders] Creating OWASP 4.0!

Ralph Durkee rd at rd1.net
Fri Dec 10 14:58:51 EST 2010


I think education is a good second approach, in addition to making it
visible, improve the eyes of those looking for it. :-)    I think
encouraging PCI QSA's to come without giving them a free ride would be
worth while.   The PCI audit companies pay big bucks to be part of the
club, giving them something free when they pay 20K/yr plus to be  a part
of the club just doesn't seem like the right motivation.  I do like the
idea of having some training focus for the auditors. 

-- Ralph Durkee, CISSP, GSEC, GCIH, GSNA, GCIA, GPEN



On 12/9/2010 10:41 AM, James McGovern wrote:
>
> Ralph, your sentence: “Regulation such as PCI has been helpful, but it
> has been difficult for it to be effective given that Web App Security
> isn't very measurable by the average auditor.” What if we could
> leverage this as both an education and PR opportunity? Imagine a
> marketing campaign where we publicly stated that all OWASP conferences
> are free to PCI QSA’s! Additionally, what if we used some of our
> common training curricula to have a one-day class just for auditors on
> how to understand OWASP?
>
>  
>
> *James McGovern
> *Insurance SBU
>
> *Virtusa **Corporation***
>
> 100 Northfield Drive, Suite 305 | Windsor, CT | 06095
>
> *Phone:  *860 688 9900*Ext:  *1037| *Facsimile:  *860 688 2890 
>
> cid:image011.jpg at 01CB08A4.F95CFA30
> <http://www.virtusa.com/> cid:image012.gif at 01CB08A4.F95CFA30
> <http://www.virtusa.com/blog/>cid:image004.gif at 01CB08A4.F95CFA30
> <https://twitter.com/VirtusaCorp> cid:image005.gif at 01CB08A4.F95CFA30
> <http://www.linkedin.com/companies/virtusa> cid:image006.gif at 01CB08A4.F95CFA30
> <http://www.facebook.com/VirtusaCorp>
>
>  
>
> *From:*owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *Ralph Durkee
> *Sent:* Wednesday, December 08, 2010 9:18 PM
> *To:* owasp-leaders at lists.owasp.org
> *Subject:* Re: [Owasp-leaders] Creating OWASP 4.0!
>
>  
>
> I've been thinking about the state of Web App Sec and how it's broken
> and what we can do about it. We've made some progress some areas like
> sql injection and malicious file execution, but most of the progress
> has been in large organizations and regulated industries, while the
> small and medium size businesses make up a majority of the market. And
> while we've made progress in some areas, we're not keeping up with the
> rate at which new web apps, and new web technologies are deployed. So
> given that we're not keeping up, coupled with the targeting and attack
> techniques continuing to get more sophisticated, I believe the over
> all risk picture is worse now then when we started.    That doesn't
> mean we've been a failure, I think we've been very successful in many
> ways, but the web continues to be less safe, and I think we need a
> different approach. 
>
> Regulation such as PCI has been helpful, but it has been difficult for
> it to be effective given that Web App Security isn't very measurable
> by the average auditor.  David Rice's presentation which paralleled on
> the evolution of regulation was insightful, and I think somewhat fits,
> with a couple of exceptions.  The final phase to self-regulation is
> ideal, and is not complete and I don't think will ever be complete. 
> Large corporations can make a marketing campaign out of being green,
> and get dollar value out of it , but that's not going to be cost
> effective for the small and medium size businesses, and for some, you
> will always need some regulation because it's a cruel world, after
> all.     However, to apply effective regulation to the secure web
> applications industry, it needs to be measurable like pollution.   I
> agree that the market will continue to be "broken" until we can make
> security measurable and visible, as Jeff and so many others are always
> on about.  I think the security labeling idea from  Jeff's AppSec DC
> talk, is maybe a little hokey, and little hard to see how we can make
> it work, but I don't see too many other ways forward at this point,
> for making security visible.  I'd like to see this as a part of OWASP
> 4.0 discussion.  So what do you think?  
>
> -- Ralph Durkee, CISSP, GSEC, GCIH, GSNA, GCIA, GPEN
> GCC, Rochester OWASP
>  
>
>
> On 12/7/2010 11:36 PM, Jeff Williams wrote:
>
> Hi everyone,
>
>  
>
> In my mind, OWASP 1.0 was pre-wiki with lots of great work and a less
> great infrastructure.  OWASP 2.0 was establishing the 501c3, putting
> in the wiki, and getting lots of great projects started. OWASP 3.0
> started with the Summit in Portugal when we created the new committees
> and has focused on creating thriving projects instead of standalone
> tools.  Thank you for all of your efforts growing a fun, civil,
> productive community.
>
>  
>
> I reach out to you now to ask you to take some time and think about
> what OWASP should become.  The time has come to measure our success
> not by the number of members, projects, and conferences, but by
> whether we are succeeding at making the world’s software more secure.
> It’s time to get our message and strategy to the next level.
>
>  
>
> *HELP DESIGN OWASP 4.0 IN PORTUGAL AT THE SUMMIT!*
>
>  
>
> If you consider yourself an OWASP Leader, won’t you take a few minutes
> of quiet time and propose a few ideas for how OWASP can retool,
> reorganize, refocus, and revamp itself to really achieve our mission? 
> We will rip, mix, and burn these ideas into a new strategy for OWASP
> at the Portugal Summit.  I encourage you to check out the resort and
> all the plans happening right now at
> http://www.owasp.org/index.php/Summit_2011.
>
>  
>
> Here are some ideas to get you started.
>
>  
>
> We bootstrap several application security ecosystems around key
> technologies like mobile, cloud, REST
>
> We reach out to governments around the world to help them push for
> application security
>
> We raise money to fund real security enhancements to tools, browsers,
> protocols (e.g. OpenSSL)
>
> We make the OWASP materials more usable by providing a “user” site and
> keep the wiki for development
>
> We invest in marketing AppSec – How do we scale David Rice and the
> “greening” of AppSec
>
> We continue our education initiative – academies, college chapters,
> videos, curriculum
>
> We continue our browser initiative and do whatever it takes to get the
> browsers and frameworks talking
>
> We invest in getting in front of new technologies like HTML5
>
> We launch a no-holds barred XSS eradication campaign
>
> We create a set of objective AppSec **market** metrics that quantify
> the state of our art
>
> We continue to push on creating standards
>
> ???
>
>  
>
> We need your ideas NOW.  Get yourself on the list!
>
>  
>
> http://www.owasp.org/index.php/Summit_2011#tab=Summit_Attendees
>
>  
>
> In one week of thinking, arguing, coding, hacking, and writing we are
> going to accomplish more than the rest of the world’s appsec efforts
> combined.  We’ll see you in Portugal ready to rock.  Thanks!
>
>  
>
> --Jeff
>
>  
>
>  
>
>  
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> Virtusa was recently ranked and featured in 2010 Deloitte Technology Fast 500, 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100 sub-list and 2010 FinTech 100 among others.
>
> ---------------------------------------------------------------------------------------------
>
> This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is intended for the addressee only. Any unauthorized disclosure, use, dissemination, copying, or distribution of this message or any of its attachments or the information contained in this e-mail, or the taking of any action based on it, is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail and delete this message.
>
> ---------------------------------------------------------------------------------------------
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101210/166772cc/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1397 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101210/166772cc/attachment-0001.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 744 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101210/166772cc/attachment-0004.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1211 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101210/166772cc/attachment-0005.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 789 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101210/166772cc/attachment-0006.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 763 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101210/166772cc/attachment-0007.gif 


More information about the OWASP-Leaders mailing list