[Owasp-leaders] Outreach

Jeff Williams jeff.williams at owasp.org
Thu Apr 7 18:04:58 EDT 2011



You completely misunderstood my intent.  I don’t swing, nor am I particularly subtle or sneaky.


I was congratulating these projects for being open about their security.  I believe this is fantastic evidence that we are achieving our goals of outreach.


I’m glad to see that you recommend working with these development teams, as that’s exactly what I recommended and what I do.  I’ve been working with the Sun (and now Oracle) team on Java EE security for years. 




From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Jim Manico
Sent: Thursday, April 07, 2011 11:50 AM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Outreach




You took a pretty big swing at a few very large frameworks. Even though you said "lets not jump all over them" you did just that in a rather subtle and sneaky way. I'm not sure that this the best way to conduct developer outreach. May I suggest:


1) provide factual supportive information as to how these frameworks are not as secure as they claim


2) enter bugs with real tests in each bug tracking system


3) engage these hard-working developers with support and respect (like submitting actual patches to fix the problems?)


Attacking developers, even when you are "right", takes us backwards. Also, expecting developers to "come to us" has never worked. We must, in a supportive fashion, infiltrate their worlds of development. Please help fix the problems! 


If you are not willing to engage their worlds and help fix the problem in their worlds, then •you• are the choir.


We all need to follow Rohit (helping Django) and Schmidt's (building actual security modules for spring and struts) to really make a difference.

-Jim Manico


On Apr 7, 2011, at 10:26 AM, "Jeff Williams" <jeff.williams at owasp.org> wrote:



I'm seeing a lot of interest in OWASP from outside the so-called choir lately. Some web frameworks (Seam <http://seamframework.org/Documentation/WebVulnerabilitiesOverview> , Microsoft Team Foundation Server <http://msdn.microsoft.com/en-us/library/dd129898(v=vs.90).aspx> , Lift <http://seventhings.liftweb.net/security> , Mykonos <http://www.mykonossoftware.com/framework.php> ) have started to publish security information about their frameworks. Some of their claims are a little, well, aggressive.  But rather than jump all over them, let’s encourage these efforts and help them actually provide the protection they’re claiming. 


I’d also like to continue you all to reach out to other communities.  Take Richard Greenberg, for example.  He has been very active at OWASP in California, on the GCC, and helping with the last AppSec conference.   Now he’s running for the ISSA Int’l Board of Directors where he’s planning to help them understand and push for better application security.  If any of you are ISSA members, please support his candidacy at issa.org this June!


I encourage everyone to think of new and better ways to reach out to other groups and figure out how to best help them with application security.  Thanks!





OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110407/e9e16449/attachment.html 

More information about the OWASP-Leaders mailing list