[Owasp-leaders] The Gap Between OWASP and Developers

Eoin eoin.keary at owasp.org
Wed Feb 23 08:56:16 EST 2011


Hi John,
may I humbly respond to your observations below?

On 23 February 2011 12:31, John Steven <John.Steven at owasp.org> wrote:

> All,
>
> Prior to the first OWASP summit, I suggested to Dinis we needed to
> make a change like Jeremiah describes. He agreed and suggested he'd
> help fund anyone who I could convince to come. I actively lobbied my
> clients to no avail. Since the first summit, we've all heard several
> well-respected members of the OWASP community--who are not
> vendors--lament how difficult it is for them to contribute. The
> situation faced remains what it was and is simply:
>
> ----
> There is no formal conduit through which the participation of
> commercial entities and their employees feel comfortable contributing
> while protecting their organization's privacy, intellectual property,
> and employment.
> ----
>
> *EK - this is where the industry committee come in in some ways. It needs
to start briding the gap between OWASP and "the world".*
*We have elected an industry committee chair (Joe Bernik) who is not a
vendor which is a great start and something I support and have been
preaching into an echo chamber for the past year. This should ( I hope)
start to get the ball moving and give OWASP a chance to connect with the non
vendor/consultant community. Joe's insight into such issues should help
understand the challenge better and even get some stuff done rather than
talking about it! *



> Some organizations and their employees can participate without such a
> formal conduit, and that's great. Others will not be able to. I
> imagine we want to actively include those who are currently precluded,
> even in a first such attempt at outreach for greater involvement.
> Something Joe, Tom, and other representatives from commercial entities
> and I have talked about is establishing some 'ground rules' for
> working with these reluctant organizations. Ground rules would need to
> address the issues I described in the breakout above.
>
> Failing to make progress on this issue is likely going to cause the
> same deja vu feeling in the broader leader's list that it's doing for
> me now. I think this is a 'non-starter' situation.
>
> If someone from the Industry committee is willing to take lead on this
> effort and produce a draft, I'd be happy to push it to my contacts in
> industry and act as intermediary so that they could anonymously
> improve it for our use.
>

*EK - I am happy to volunteer or at least help but I'm from the "evil"
board, I don't know if this is an issue or not?*
*The reason I went for the board elections 14 months ago was to try and fix
the industry link issue you Jeremiah and I are talking about. I am so glad
we are getting to this point and clever guys like u and J see this problem.
I dont know about you but I am tired of talking security with security folk,
preaching to the choir when the real problem continues to grow.*

>
> -jOHN
>
> On Fri, Feb 18, 2011 at 8:08 PM, Tom Brennan <tomb at owasp.org> wrote:
> > That is the plan of the industry committee for those that missed that
> mission and goal - Joe's got the ball and running with that with the team of
> global industry committee
> >
> > The board nominations can take place as soon as April with election 3
> months after the candidates are locked in. As we did in 2009 the candidates
> need to have a "why me" document write up so that member voters can elect a
> volunteer leader.
> >
> > So if you are reading this and you are a owasp member and
> leader/committee member you are eligible to be nominated as a candidate,
> then the election will happen and the 2 year term will start in January.
> >
> > I will be leading this effort with the assistance of Dan Cornell and the
> rest of the Global Membership Committee like we did in 2009
> >
> > Brennan
> > 9732020122
> >
> > Tom Brennan
> > OWASP Foundation
> > 973-202-0122
> >
> > -----Original Message-----
> > From: Andre Gironda <andreg at gmail.com>
> > Sender: owasp-leaders-bounces at lists.owasp.org
> > Date: Fri, 18 Feb 2011 11:51:50
> > To: <owasp-leaders at lists.owasp.org>
> > Reply-To: "Feel free to browse the archives." <
> owasp-leaders at lists.owasp.org>
> > Cc: Jeremiah Grossman<jeremiah at whitehatsec.com>
> > Subject: Re: [Owasp-leaders] The Gap Between OWASP and Developers
> >
> > On Fri, Feb 18, 2011 at 11:29 AM, Jim Manico <jim.manico at owasp.org>
> wrote:
> >> I'm passing on a message from Jeremiah Grossman on
> vendor/OWASP/enterprise relations. Insightful comments - especially coming
> from a vendor. ;)
> >> I'm really happy to see Joe Bernik (CISO at Fifth Third Bank) stepping
> up as the Industry Committee chair. I think this fits into both Jeremiah's
> vision and OWASP's mission very well.
> >>
> >> Aloha,
> >> Jim
> >
> > Thanks for this, Jim. I absolutely agree with Jeremiah on this issue
> > and he put it very eloquently:
> >
> > "Imagine having CSOs from major eCommerce, financial services,
> > healthcare, etc. organizations stacking the OWASP board"
> >
> > I think this is the BEST idea to ever come from Jeremiah, and the only
> > thing I would add to it would be, "as long as WhiteHat Security
> > customers are only represented as a minority and not a majority". ;>
> >
> > If vendors are recommending that their most-faithful of customers
> > become the leadership instead of the vendors themselves -- we could
> > end up in a much worse situation than we are already in with regards
> > to promoting the believability of our appsec expertise (as well as
> > actually having any real experience or direction to put forward to the
> > industry).
> >
> > -Andre
> >
> >> ****
> >>
> >> OWASP Leaders,
> >>
> >> Want to know what scares enterprises, and by extension developers, away
> from OWASP more than anything else? Us. That is, us vendors.
> >>
> >> They look at who makes up the global board. 100% vendors, of one
> particular ilk. They look at who sponsors, the Summit or in general, nearly
> all vendors. They see who gives the presentations. Right, essentially all
> vendors. I wouldn't be surprised if OWASP's paid-for user membership wasn't
> also lopsided by vendors. This doesn't leave much room for the enterprise
> representatives to assume key roles and influence the direction of the
> organization as they should be afforded.
> >>
> >> In the beginning days of OWASP, and the webappsec industry collectively,
> vendors building up OWASP was absolutely essential. Many of us, myself
> included, originally came from the enterprise because we saw a real (appsec)
> problem that needed to be solved and we had to organize and evangelize as
> vendors -- so we did. We paved the way and should be proud of that. Today
> though we must recognize that it is no longer 2001, it is 2011 are many
> organizations as a result have heavily invested in their application
> security programs. They have much knowledge to share with their peers.
> >>
> >> Imagine having CSOs from major eCommerce, financial services,
> healthcare, etc. organizations stacking the OWASP board. That would speak
> volumes to their peers, who it is always said need to be more included in
> OWASP. Enterprises on the OWASP board would hugely encourage other
> organizations to similarly invest in their application security programs and
> get actively involved in the community. In my opinion, just adding
> "developers" doesn't go far enough, and wouldn't influence nearly enough.
> >>
> >> Personally, when nominations open, these are the candidates I'd
> encourage looking and voting for. Time for the enterprises to lead and
> choose their own destiny.
> >>
> >> Regards,
> >>
> >> Jeremiah Grossman
> >> Chief Technology Officer
> >> WhiteHat Security, Inc.
> >> http://www.whitehatsec.com/
> >>
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>



-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

Sent from my i-Transmogrifier
http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110223/774aed01/attachment-0001.html 


More information about the OWASP-Leaders mailing list