[Owasp-leaders] Creating OWASP 4.0!

Matthew Chalmers matthew.chalmers at owasp.org
Wed Jan 12 21:21:17 EST 2011

Sorry to resurrect an old(ish) thread (I just don't get much done from
Thanksgiving to New Year's).

A one-day class for auditors on OWASP might be overkill. And if it was at an
OWASP event it might not attract many attendees. I think some of us could
collaborate on a ½- to 4-hour presentation deck that could be used by
OWASPers who were able to attend (IT) audit-centric events (in addition to
engaging organizations like ISACA directly to mutual benefit). It might be
more useful at OWASP events to have a ½- to 4-hour session on auditing for
developers and appsec folks.

Part of the problem with evangelizing appsec to developers is that while
they may be receptive, they don't always have the ability to implement what
they've learned when it appears to add time to their projects (or take time
away depending on how you look at it). Auditors, however, often do--in my
experience--have the ability to add items to their work programs.

Note that I'm using "audit" and "auditor" very generically, not specifically


On Thu, Dec 9, 2010 at 9:41 AM, James McGovern <JMcGovern at virtusa.com>wrote:

> Ralph, your sentence: “Regulation such as PCI has been helpful, but it has
> been difficult for it to be effective given that Web App Security isn't very
> measurable by the average auditor.” What if we could leverage this as both
> an education and PR opportunity? Imagine a marketing campaign where we
> publicly stated that all OWASP conferences are free to PCI QSA’s!
> Additionally, what if we used some of our common training curricula to have
> a one-day class just for auditors on how to understand OWASP?

On Thu, Dec 9, 2010 at 9:53 AM, James McGovern <JMcGovern at virtusa.com>

> Rex, we are actually in full agreement. I think my thought process is wired
> around the notion of think globally, act locally. Yes, we should have a
> little bit of “governance” in place such that projects do accomplish the
> “strategic” intent of making appsec visible. Maybe this starts with us
> outlining what are the capabilities we require and the outcomes desired
> (yes, this sounds enterprisey). Some things that I would love to see happen
> in 2011 are:
> -          Less focus on large enterprises and government. More on helping
> out the little guys
> -          Bring balance to be developer-specific vs developer-friendly.
> We need for webappsec to be “visible” to all IT demographics that
> participate in the SDLC. Maybe we can help business analysts capture
> misuse/abuse cases to fill out an important gap?
> -          Work with other organizations. I truly believe that there is
> merit in helping out audit-centric organizations such as ISACA who continue
> to promote silly audit checklists on things that don’t matter. Who cares if
> I have a clean desk policy which is as important as checking to see if my
> Number two pencils are sharpened. We need to get better with outreach and
> not be so insular
> -          Figure out ways to get more media attention for our great work.
> This includes magazines, newspapers and industry analyst firms.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110112/370c9144/attachment-0001.html 

More information about the OWASP-Leaders mailing list