[Owasp-leaders] Security advisors for open source libraries& frameworks

Sethi, Rohit rohit at securitycompass.com
Fri Apr 1 17:04:19 EDT 2011


It looks to me like the publishing of names, bios and email addresses of people who volunteer to help is the most easily actionable next step. If somebody wants to step up and start a closed source mailing list, then it's certainly something that open source developers would like but there's likely to be continued disagreement about whether or not it makes sense as part of OWASP.

I guess the next step is to actually get the page setup. Is there a way to get this page setup on OWASP in a non-wiki format since, presumably, we don't want people to tamper with the contact information of existing volunteers? Would this be considered an OWASP project?

Rohit Sethi
Vice President, Product Development
Security Compass & SD Elements
http://www.securitycompass.com
Twitter: rksethi

-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of James McGovern
Sent: Thursday, March 31, 2011 3:03 PM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Security advisors for open source libraries& frameworks

Does being open mean that we have to also make open immediately? For example, if it were possible to have a mailing list where only a few people could see messages instantly but the archive would hide messages until after 30 days elapsed, would we be OK with that?

Could static analysis aid in helping open source projects at least get started with the basic stuff while we use the "qualified" people for things higher up the food chain?

If OWASP members were in a "review" capacity, wouldn't it still be beneficial to catch a few things than everything? We all have different abilities in terms of our advice giving but I believe that even if a bozo gave advice that closed one security defect, we should celebrate. Let's make web appsec visible, not make web appsec people visible?

Advice is exactly that. If you are worried about credibility, we should solicit advice from multiple OWASP members. If it differs then it may actually be a good thing as each person may bring something different to the table.
    

-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Sethi, Rohit
Sent: Tuesday, March 29, 2011 12:38 PM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Security advisors for open source libraries& frameworks

Nam and John,

Thanks for your responses. Qualification is going to be big here. The frameworks will want people who are truly security experts; wanting to help is probably not sufficient. The problem is we have no easy way of qualifying people. For example, I don't think I ought to be allowed to be part of this group until I can pass some sort of test. Just because I brought the idea to the attention of OWASP shouldn't automatically qualify me.

Does anyone have ideas on how to qualify people for this list? My initial thought is that there should be at least one person who is experienced with closed-source security mailing lists for a commercial or open source product. Maybe OWASP members or leaders or committee members could vote for people with the right qualifications? 

Any other ideas?

Rohit Sethi
Vice President, Product Development
Security Compass & SD Elements
http://www.securitycompass.com
Twitter: rksethi


Virtusa was recently ranked and featured in 2010 Deloitte Technology Fast 500, 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100 sub-list and 2010 FinTech 100 among others.

---------------------------------------------------------------------------------------------

This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is intended for the addressee only. Any unauthorized disclosure, use, dissemination, copying, or distribution of this message or any of its attachments or the information contained in this e-mail, or the taking of any action based on it, is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail and delete this message.

---------------------------------------------------------------------------------------------
_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list