[Owasp-leaders] The Gap Between OWASP and Developers

Sarah Baso sarah.baso at owasp.org
Wed Feb 23 09:10:32 EST 2011


Eoin and John- this item has been added to the agenda for Friday's
industry call.

Sarah

On 2/23/11, Eoin <eoin.keary at owasp.org> wrote:
> Hi John,
> may I humbly respond to your observations below?
>
> On 23 February 2011 12:31, John Steven <John.Steven at owasp.org> wrote:
>
>> All,
>>
>> Prior to the first OWASP summit, I suggested to Dinis we needed to
>> make a change like Jeremiah describes. He agreed and suggested he'd
>> help fund anyone who I could convince to come. I actively lobbied my
>> clients to no avail. Since the first summit, we've all heard several
>> well-respected members of the OWASP community--who are not
>> vendors--lament how difficult it is for them to contribute. The
>> situation faced remains what it was and is simply:
>>
>> ----
>> There is no formal conduit through which the participation of
>> commercial entities and their employees feel comfortable contributing
>> while protecting their organization's privacy, intellectual property,
>> and employment.
>> ----
>>
>> *EK - this is where the industry committee come in in some ways. It needs
> to start briding the gap between OWASP and "the world".*
> *We have elected an industry committee chair (Joe Bernik) who is not a
> vendor which is a great start and something I support and have been
> preaching into an echo chamber for the past year. This should ( I hope)
> start to get the ball moving and give OWASP a chance to connect with the non
> vendor/consultant community. Joe's insight into such issues should help
> understand the challenge better and even get some stuff done rather than
> talking about it! *
>
>
>
>> Some organizations and their employees can participate without such a
>> formal conduit, and that's great. Others will not be able to. I
>> imagine we want to actively include those who are currently precluded,
>> even in a first such attempt at outreach for greater involvement.
>> Something Joe, Tom, and other representatives from commercial entities
>> and I have talked about is establishing some 'ground rules' for
>> working with these reluctant organizations. Ground rules would need to
>> address the issues I described in the breakout above.
>>
>> Failing to make progress on this issue is likely going to cause the
>> same deja vu feeling in the broader leader's list that it's doing for
>> me now. I think this is a 'non-starter' situation.
>>
>> If someone from the Industry committee is willing to take lead on this
>> effort and produce a draft, I'd be happy to push it to my contacts in
>> industry and act as intermediary so that they could anonymously
>> improve it for our use.
>>
>
> *EK - I am happy to volunteer or at least help but I'm from the "evil"
> board, I don't know if this is an issue or not?*
> *The reason I went for the board elections 14 months ago was to try and fix
> the industry link issue you Jeremiah and I are talking about. I am so glad
> we are getting to this point and clever guys like u and J see this problem.
> I dont know about you but I am tired of talking security with security folk,
> preaching to the choir when the real problem continues to grow.*
>
>>
>> -jOHN
>>
>> On Fri, Feb 18, 2011 at 8:08 PM, Tom Brennan <tomb at owasp.org> wrote:
>> > That is the plan of the industry committee for those that missed that
>> mission and goal - Joe's got the ball and running with that with the team
>> of
>> global industry committee
>> >
>> > The board nominations can take place as soon as April with election 3
>> months after the candidates are locked in. As we did in 2009 the
>> candidates
>> need to have a "why me" document write up so that member voters can elect
>> a
>> volunteer leader.
>> >
>> > So if you are reading this and you are a owasp member and
>> leader/committee member you are eligible to be nominated as a candidate,
>> then the election will happen and the 2 year term will start in January.
>> >
>> > I will be leading this effort with the assistance of Dan Cornell and the
>> rest of the Global Membership Committee like we did in 2009
>> >
>> > Brennan
>> > 9732020122
>> >
>> > Tom Brennan
>> > OWASP Foundation
>> > 973-202-0122
>> >
>> > -----Original Message-----
>> > From: Andre Gironda <andreg at gmail.com>
>> > Sender: owasp-leaders-bounces at lists.owasp.org
>> > Date: Fri, 18 Feb 2011 11:51:50
>> > To: <owasp-leaders at lists.owasp.org>
>> > Reply-To: "Feel free to browse the archives." <
>> owasp-leaders at lists.owasp.org>
>> > Cc: Jeremiah Grossman<jeremiah at whitehatsec.com>
>> > Subject: Re: [Owasp-leaders] The Gap Between OWASP and Developers
>> >
>> > On Fri, Feb 18, 2011 at 11:29 AM, Jim Manico <jim.manico at owasp.org>
>> wrote:
>> >> I'm passing on a message from Jeremiah Grossman on
>> vendor/OWASP/enterprise relations. Insightful comments - especially coming
>> from a vendor. ;)
>> >> I'm really happy to see Joe Bernik (CISO at Fifth Third Bank) stepping
>> up as the Industry Committee chair. I think this fits into both Jeremiah's
>> vision and OWASP's mission very well.
>> >>
>> >> Aloha,
>> >> Jim
>> >
>> > Thanks for this, Jim. I absolutely agree with Jeremiah on this issue
>> > and he put it very eloquently:
>> >
>> > "Imagine having CSOs from major eCommerce, financial services,
>> > healthcare, etc. organizations stacking the OWASP board"
>> >
>> > I think this is the BEST idea to ever come from Jeremiah, and the only
>> > thing I would add to it would be, "as long as WhiteHat Security
>> > customers are only represented as a minority and not a majority". ;>
>> >
>> > If vendors are recommending that their most-faithful of customers
>> > become the leadership instead of the vendors themselves -- we could
>> > end up in a much worse situation than we are already in with regards
>> > to promoting the believability of our appsec expertise (as well as
>> > actually having any real experience or direction to put forward to the
>> > industry).
>> >
>> > -Andre
>> >
>> >> ****
>> >>
>> >> OWASP Leaders,
>> >>
>> >> Want to know what scares enterprises, and by extension developers, away
>> from OWASP more than anything else? Us. That is, us vendors.
>> >>
>> >> They look at who makes up the global board. 100% vendors, of one
>> particular ilk. They look at who sponsors, the Summit or in general,
>> nearly
>> all vendors. They see who gives the presentations. Right, essentially all
>> vendors. I wouldn't be surprised if OWASP's paid-for user membership
>> wasn't
>> also lopsided by vendors. This doesn't leave much room for the enterprise
>> representatives to assume key roles and influence the direction of the
>> organization as they should be afforded.
>> >>
>> >> In the beginning days of OWASP, and the webappsec industry
>> >> collectively,
>> vendors building up OWASP was absolutely essential. Many of us, myself
>> included, originally came from the enterprise because we saw a real
>> (appsec)
>> problem that needed to be solved and we had to organize and evangelize as
>> vendors -- so we did. We paved the way and should be proud of that. Today
>> though we must recognize that it is no longer 2001, it is 2011 are many
>> organizations as a result have heavily invested in their application
>> security programs. They have much knowledge to share with their peers.
>> >>
>> >> Imagine having CSOs from major eCommerce, financial services,
>> healthcare, etc. organizations stacking the OWASP board. That would speak
>> volumes to their peers, who it is always said need to be more included in
>> OWASP. Enterprises on the OWASP board would hugely encourage other
>> organizations to similarly invest in their application security programs
>> and
>> get actively involved in the community. In my opinion, just adding
>> "developers" doesn't go far enough, and wouldn't influence nearly enough.
>> >>
>> >> Personally, when nominations open, these are the candidates I'd
>> encourage looking and voting for. Time for the enterprises to lead and
>> choose their own destiny.
>> >>
>> >> Regards,
>> >>
>> >> Jeremiah Grossman
>> >> Chief Technology Officer
>> >> WhiteHat Security, Inc.
>> >> http://www.whitehatsec.com/
>> >>
>> >> _______________________________________________
>> >> OWASP-Leaders mailing list
>> >> OWASP-Leaders at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >>
>> > _______________________________________________
>> > OWASP-Leaders mailing list
>> > OWASP-Leaders at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> > _______________________________________________
>> > OWASP-Leaders mailing list
>> > OWASP-Leaders at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
>
> --
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
>
> Sent from my i-Transmogrifier
> http://asg.ie/
> https://twitter.com/EoinKeary
>

-- 
Sent from my mobile device

OWASP Global Summit Organizing Committee
Secretary for OWASP Global Industry Committee

Dir: 651-233-6334
skype: sarah.baso
sarah.baso at owasp.org <lorna.alamri at owasp.org>


More information about the OWASP-Leaders mailing list