[Owasp-leaders] MUST READ: Establishing a Software Ecosystem that Produces Security

Chris Schmidt chris.schmidt at owasp.org
Mon Feb 21 22:51:31 EST 2011

Good call on bringing attention to this Dinis.

I think that there are a lot of things in Jeff¹s paper that we have all said
individually, but Jeff really does a fantastic job of bringing it all
together and really honing in on exactly what the problem that we are facing
is. I am very anxious to see how the development and management level
communities respond to this article ­ I think that it will definitely get
some conversation rolling when it hits the mainstream and as we all know, it
only takes a couple people talking and spinning up ideas to come up with
something huge that echoes throughout entire communities. This could be that
pebble in the pond and I think we should all do our part to bring the
conversation out of people when it hits the stands. Blog about the article,
tweet it, reference it, e-mail it around to your local OSUGs and Meet-up
groups, and spread the word. Jeff does a great job in planting the seeds for
change with this paper and it is up to all of us to help it grow into what
it can be. 

On 2/21/11 7:56 PM, "dinis cruz" <dinis.cruz at owasp.org> wrote:

> I think most of you missed this VERY important paper (attached) from Jeff that
> he originally included on on this 'Myth of the OWASP board / Not going for
> re-election' email.
> I just read this 7 page document today and I have to say that it is an AMAZING
> presentation of the problems our industry historically has faced. This
> document also presents a great solution which (from my point of view) is spot
> on!
> If we can create a software development culture that promotes and rewards
> security, we will be able to finally change the way apps are created, sold and
> consumed/used.
> I think this presentation should be delivered at ALL OWASP chapters around the
> world, and hopefully very soon we will have a recorded audio/video version
> (with slides) of this presentation by Jeff (or others).
> For reference here is the paper's abstract (note that it this will be
> officially published on the next edition of Crosstalk, so please consider this
> a soft release for OWASP leaders consumption):
> Abstract: What if the key to efficiently and reliably producing secure code is
> not better tools or processes, but our software development culture? In this
> paper, we examine the reasons why software ecosystems systematically
> discourage security, and what organizations can do about them. We suggest that
> the most important thing an organization can do is to influence their software
> development ecosystems to ensure that security is visible, collaborative, and
> measured. A healthy software ecosystem will enable builders and breakers to
> iterate quickly, improving security and building history. To give the
> ecosystem direction, we suggest creating selective pressure for code with both
> strength and simplicity. Anyone interested in exploring this idea is
> encouraged to join us at OWASP.
> Dinis Cruz
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

Chris Schmidt
ESAPI Project Manager (http://www.esapi.org)
ESAPI4JS Project Owner (http://bit.ly/9hRTLH)
Blog: http://yet-another-dev.blogspot.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110221/906f04f2/attachment.html 

More information about the OWASP-Leaders mailing list