[Owasp-leaders] Outreach

Jim Manico jim.manico at owasp.org
Thu Apr 7 11:49:34 EDT 2011


Jeff,

You took a pretty big swing at a few very large frameworks. Even though you said "lets not jump all over them" you did just that in a rather subtle and sneaky way. I'm not sure that this the best way to conduct developer outreach. May I suggest:

1) provide factual supportive information as to how these frameworks are not as secure as they claim

2) enter bugs with real tests in each bug tracking system

3) engage these hard-working developers with support and respect (like submitting actual patches to fix the problems?)

Attacking developers, even when you are "right", takes us backwards. Also, expecting developers to "come to us" has never worked. We must, in a supportive fashion, infiltrate their worlds of development. Please help fix the problems! 

If you are not willing to engage their worlds and help fix the problem in their worlds, then •you• are the choir.

We all need to follow Rohit (helping Django) and Schmidt's (building actual security modules for spring and struts) to really make a difference.

-Jim Manico
http://manico.net
 
On Apr 7, 2011, at 10:26 AM, "Jeff Williams" <jeff.williams at owasp.org> wrote:

> Hi!
> 
>  
> 
> I'm seeing a lot of interest in OWASP from outside the so-called choir lately. Some web frameworks (Seam, Microsoft Team Foundation Server, Lift, Mykonos) have started to publish security information about their frameworks. Some of their claims are a little, well, aggressive.  But rather than jump all over them, let’s encourage these efforts and help them actually provide the protection they’re claiming.
> 
>  
> 
> I’d also like to continue you all to reach out to other communities.  Take Richard Greenberg, for example.  He has been very active at OWASP in California, on the GCC, and helping with the last AppSec conference.   Now he’s running for the ISSA Int’l Board of Directors where he’s planning to help them understand and push for better application security.  If any of you are ISSA members, please support his candidacy at issa.org this June!
> 
>  
> 
> I encourage everyone to think of new and better ways to reach out to other groups and figure out how to best help them with application security.  Thanks!
> 
>  
> 
> --Jeff
> 
>  
> 
>  
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110407/9b18ff33/attachment.html 


More information about the OWASP-Leaders mailing list