[Owasp-leaders] OWASP Top 10 quiz

Jason Taylor jason.taylor at owasp.org
Wed Aug 3 16:37:51 EDT 2011


Thanks Kostas. Anurag and I are indeed meeting this week to discuss how to move both efforts forward. Also, you'll be happy to hear we are planning on making a sweeping update to the exams (both in the wiki and in the owaspa moodle site) to reflect all the feedback we've received on the questions, both from the summit and during our own internal reviews.

So quality is going up and contribution is increasing - both great things!

Jason

On Aug 3, 2011, at 2:31 PM, Konstantinos Papapanagiotou wrote:

> I'll have to agree with Christian and Anurag on this. Anurag, an OWASP
> leader, has created an open and free project, practically promoting
> the OWASP Top10. The fact that he has not yet gone through the formal
> process of starting or contributing to a formal OWASP project does not
> mean that he's violating the "owasp brand rules", at least IMHO.
> 
> Anyways, Anurag this is fantastic work. As Ed said you should talk
> with Jason; he is doing an amazing job in the Exams Project as he has
> already put together several questions of similar type. It would be
> great if all OWASP leaders could contribute with some questions to
> this project.
> We are also actually using [some of] these questions in real
> university classrooms (as part of the academy portal project-effort)
> so we will be able to provide in the near future some practical
> feedback.
> 
> Kostas
> 
> 
> 
> On Wed, Aug 3, 2011 at 7:30 PM, Anurag Agarwal (OWASP)
> <anurag.agarwal at owasp.org> wrote:
>> Thanks Jason, Christian, et al for your feedback but I have to admit I am
>> very disappointed with what has transpired so far on this. Not a single
>> feedback on the quality and the type of questions, not even on various
>> features or how far we can take it, etc.
>> 
>> 
>> 
>> My intention was to throw an idea out to OWASP Leaders and get some
>> brilliant minds to provide their feedback on the concept, its usability and
>> such. In the past, people would talk about whether the questions are good
>> enough or we need to improve on those. Maybe share some more ideas on
>> features, etc that we can implement to cater to needs of a wider audience. I
>> had created something to bring more awareness to the developers in a fun way
>> and wanted to share with OWASP and enhance the idea/concept to take it to a
>> greater level. We are trying to reach out to developer community and these
>> type of small projects can help bring more awareness on various OWASP
>> projects in that community.
>> 
>> 
>> 
>> The only positive mail I got was from Ed Adams which lead me to Jason Taylor
>> and I will work with him on how we can share a question bank which to me
>> should have been a bigger concern then where its hosted and how. I already
>> removed the OWASP Logo as suggested by Jeff as I have no intention of
>> misrepresenting OWASP in any way.
>> 
>> 
>> 
>> That being said, I will urge the people on this list to share some ideas and
>> feedback as to how this project can be improved.
>> 
>> 
>> 
>> 
>> 
>> Thanks,
>> 
>> 
>> 
>> Anurag Agarwal
>> 
>> MyAppSecurity Inc
>> 
>> Cell - 919-244-0803
>> 
>> Email - anurag at myappsecurity.com
>> 
>> Website - http://www.myappsecurity.com
>> 
>> Blog - http://myappsecurity.blogspot.com
>> 
>> LinkedIn - http://www.linkedin.com/in/myappsecurity
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> From: owasp-leaders-bounces at lists.owasp.org
>> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Jason Li
>> Sent: Wednesday, August 03, 2011 11:38 AM
>> To: Christian Heinrich
>> Cc: owasp-leaders at lists.owasp.org
>> Subject: Re: [Owasp-leaders] OWASP Top 10 quiz
>> 
>> 
>> 
>> Christian,
>> 
>> 
>> 
>> There is a difference between openness and establishing identity.
>> 
>> 
>> 
>> For example, all of the Apache projects are open source, but it would be
>> inappropriate for you or I to setup a website with the Apache Foundation
>> logo that hosts a service that could be mistaken for something done by the
>> Apache Foundation.
>> 
>> 
>> 
>> The Brand Usage Rules exist to *enable* people to properly use the OWASP
>> brand (#1-4, #9) and also remind people of various misuse cases (#5-8). In
>> that sense, they are not unlike standard security practices of whitelisting
>> allowed cases (#1-4, #9) and blacklisting obvious undesired cases
>> (#5-8). The OWASP Brand Usage Rules are not meant to be an exhaustive list
>> of disallowed uses. Like you, I am not a lawyer, but I believe standard
>> rules and laws regarding use of trademarks still apply to the OWASP brand.
>> 
>> 
>> 
>> Anurag has already stated his intention to eventually create an open source
>> OWASP project out of his effort. As it stands, I'm sure he will agree that
>> the intention of his site is just to pilot some concepts and implementation
>> details and not to misrepresent the site as an OWASP web property.
>> 
>> -Jason
>> 
>> 
>> 
>> On Wed, Aug 3, 2011 at 3:17 AM, Christian Heinrich
>> <christian.heinrich at owasp.org> wrote:
>> 
>> Jeff,
>> 
>> Considering "OWASP is about making application security ideas free and
>> open to everyone, not about locking them up" is your statement which I
>> quote from within
>> https://lists.owasp.org/pipermail/global-projects-committee/2011-August/002250.html
>> 
>> I don't believe Anurag has violated
>> https://www.owasp.org/index.php/OWASP_brand_usage_rules
>> 
>> On Mon, Aug 1, 2011 at 9:56 PM, Anurag Agarwal (OWASP)
>> <anurag.agarwal at owasp.org> wrote:
>>> Jeff - I actually meant to make it as an OWASP project and wanted to start
>>> with a PoC and get the leaders feedback before making it a full blown
>>> OWASP
>>> project. That is the only reason I used OWASP name and logo.
>>> 
>>> My apologies for not asking with the OWASP board earlier. I will remove
>>> the
>>> OWASP logo.
>>> 
>>> Thanks
>>> Anurag
>>> 
>>> 
>>> 
>>> -----Original Message-----
>>> From: Jeff Williams [mailto:jeff.williams at owasp.org]
>>> Sent: Monday, August 01, 2011 1:30 AM
>>> To: 'Anurag Agarwal (OWASP)'; owasp-leaders at lists.owasp.org
>>> Subject: RE: [Owasp-leaders] OWASP Top 10 quiz
>>> 
>>> Hi Anurag,
>>> 
>>> I think this is a cool little project, that could help some folks get a
>>> handle on what their developers actually know.  But I'm concerned that
>>> this
>>> is being run at owasp.myappsecurity.com with full OWASP branding.  It
>>> appears to be an official OWASP project.  If you want it to be an OWASP
>>> project, then it should be free and open and run as a real OWASP project
>>> --
>>> which we'll help support.   If you want it to be proprietary, you can keep
>>> it at myappsecurity and drop the OWASP branding.
>>> 
>>> I appreciate your understanding.
>>> 
>>> Thanks,
>>> 
>>> --Jeff
>>> 
>>> 
>>> -----Original Message-----
>>> From: owasp-leaders-bounces at lists.owasp.org
>>> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Anurag Agarwal
>>> (OWASP)
>>> Sent: Friday, July 29, 2011 11:38 PM
>>> To: owasp-leaders at lists.owasp.org
>>> Subject: [Owasp-leaders] OWASP Top 10 quiz
>>> 
>>> Hi Everyone - I created a very small quiz for a client to test their
>>> developer's knowledge of OWASP top 10. I thought it  would be a good idea
>>> to
>>> make it public and let other organization use it for their development
>>> teams
>>> as well. This is a very basic quiz but I do plan to add different levels
>>> and
>>> more questions to it and bring randomness in the questions as well.
>>> 
>>> I would greatly appreciate any feedback or suggestions that others may
>>> have.
>>> 
>>> 
>>> http://owasp.myappsecurity.com/2011/07/12/quiz/
>>> 
>>> 
>>> Thanks,
>>> 
>>> Anurag Agarwal
>>> MyAppSecurity Inc
>>> Cell - 919-244-0803
>>> Email - anurag at myappsecurity.com
>>> Website - http://www.myappsecurity.com
>>> Blog - http://myappsecurity.blogspot.com LinkedIn -
>>> http://www.linkedin.com/in/myappsecurity
>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> 
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> 
>> 
>> 
>> --
>> Regards,
>> Christian Heinrich
>> http://www.owasp.org/index.php/user:cmlh
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
>> 
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
>> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders



More information about the OWASP-Leaders mailing list