[Owasp-leaders] OWASP Core Values

Rex Booth rex.booth at owasp.org
Sun Jan 16 19:05:41 EST 2011


I respectfully disagree.

I think Mike is right in one respect: "What is the end result from a 
developer's perspective that you're trying to achieve with something. "  
This is very true, and it's also why working security in through 
grassroots and bottom-up approaches has failed time and time again - and 
will continue to fail.

Tools like ESAPI and other developer-oriented projects are necessary and 
valuable components to our mission.  They clearly make it easier for the 
developer to incorporate security into their application.  But what 
happens when the developers simply don't care?  As Mike said, unless 
it's a functional requirement, it's likely not going to get their attention.

The real driver for the widespread recognition of the need for security 
is a top-down approach.  Working with the application owners, standards 
bodies, and auditing organizations is absolutely key to realizing our 
mission.  Those who dismiss such efforts are missing the bigger picture 
and clearly don't understand the IT ecosystem outside of the technical 
lifecycle.

Is there room for improvement?  Absolutely.  But let's be respectful of 
the wide variety of activities required by OWASP in order for us to 
effectively pursue our mission - both technical and non-technical.

Rex


On 1/16/2011 6:04 PM, Jim Manico wrote:
> Look at what Mike is saying, not how he is saying it.
>
> We are missing the ball here. We have tons of assessment projects. We 
> thwap developers for being insecure, but do little to empower them. 
> The developers guide is not prescriptive enough - it's more of an 
> architectural level guide, not a developers guide. ESAPI is a bloody 
> mess of alpha code with little documentation that is usable.
>
> If we as OWASP focused more on ASVS type-standards and put a real 
> professional team on ESAPI full time, including prescriptive 
> documentation, OWASP would matter more.
>
> Sure we have an "ecosystem" but it's a old boys club of AppSec 
> consultants and pro's and its wagging the dog way to much.
>
> We rest on our beta-quality laurels, slap out companies name on it for 
> marketing purposes, sing kuum-bie-ya to feel good, but do little to 
> help developers in a prescriptive way to really write secure code and 
> solutions.
>
> Mike, you are right. I don't like your tone, but the message behind 
> that tone is bullseye right. And Mike, I'm partially to blame here for 
> not fully supporting your documentation efforts enough.
>
> Hopefully, we can all discuss this more at the summit in a 
> constructive way.
>
> -Jim Manico
> http://manico.net
>
> On Jan 16, 2011, at 11:51 AM, Jeff Williams <jeff.williams at owasp.org 
> <mailto:jeff.williams at owasp.org>> wrote:
>
>> Thanks for the blunt feedback Mike.  I think I know why there's no 
>> "Mike Application Security Project" now.
>>
>> We all want the stuff that's usable out of the box.  But you can't 
>> just yell at people and magically get good results.  We are building 
>> a supportive ecosystem for anyone who cares about appsec.  If that's 
>> too touchy feely for you, well I guess this isn't the right place for 
>> you.
>>
>> Personally I've been almost universally challenged, supported, and 
>> encouraged by others at OWASP, with a minimum of the negative 
>> behaviors that plague other communities. I think if you really deeply 
>> consider what actually gets the useful standards, tools, and docs you 
>> are seeking created, you'll understand our path better.
>>
>> --Jeff
>>
>>
>>
>> On Jan 16, 2011, at 2:01 PM, Mike Boberski <mike.boberski at gmail.com 
>> <mailto:mike.boberski at gmail.com>> wrote:
>>
>>> Ick. That's what I have to say to this and many recent threads, the 
>>> past year or so.
>>>
>>> Give me freaking STANDARDS and READY TO USE tools that I can use to 
>>> make fixes and point others to as THE basis for instructing others 
>>> to put controls into place. Where is a freaking Agile-focused SAMM, 
>>> to use a different example than ASVS or ESAPI. I don't care about 
>>> anything else as far as OWASP or any industry organization is 
>>> concerned. I'm not here to make friends, I am non-plussed with the 
>>> comparatively recent disproportionate emphasis on building echo 
>>> chambers to borrow a phrase from a recent thread of ever-larger 
>>> size, doesn't help me do my job.
>>>
>>> I don't give a fudge about whether or not there exists a committee 
>>> for this or that. No freaking way I'm signing NDAs, just go ahead 
>>> and delete me from this list and others already if that's where 
>>> you're going. My stars. It's not rocket science why the vast 
>>> majority of developers and application owners don't care about 
>>> OWASP. Stop. Focus. What is the end result from a developer's 
>>> perspective that you're trying to achieve with something. Execute. 
>>> If you're not helping Joe Developer achieve a specific result to 
>>> make a fix or to hold onto a painfully-achieved security posture 
>>> you're wasting your and their time.
>>>
>>> Mike
>>>
>>>
>>> On Sun, Jan 16, 2011 at 9:32 AM, Thomas Brennan <tomb at owasp.org 
>>> <mailto:tomb at owasp.org>> wrote:
>>>
>>>     Personally I am not interested in signing any documentation
>>>     (Non-Disclosure Agreement(s)) for any OWASP Foundation efforts,
>>>     projects etc.  If people need and want help we're here to do
>>>     that publicly with meetings, meeting mins., topics etc., mailing
>>>     lists and collaborate as such. You will see this first hand at
>>>     the summit Yiannis - it's NOT the loudest voice in the room it
>>>     is by c/onsensus when the facts of been presented by both sides
>>>     but very much governed by the Code of Ethics and Principals
>>>     /http://www.owasp.org/index.php/About_OWASP#Code_of_Ethics
>>>
>>>     Commercial ventures are very different - as a example if I need
>>>     to sign 1000 NDA's for my work with Trustwave, Spiderlabs
>>>     related to customer projects no problem, that is part of mutual
>>>     trust in a confidential business matter with the customers and
>>>     partners. At OWASP I like that we don't have this issue personally.
>>>
>>>     *Loose Lips do, to Sink Ships however.*   The reality and
>>>     personal integrity of its members and as a group is how we
>>>     arrived at the below statement:
>>>
>>>     http://www.owasp.org/index.php/Core_Values_and_Definitions
>>>
>>>     Look forward to the reading of the feedback form(s) provided
>>>     above at the Summit to start the discussion and with rough
>>>     consensus.
>>>
>>>     -Brennan
>>>
>>>
>>>
>>>
>>>     On Jan 15, 2011, at 10:14 PM, Yiannis Pavlosoglou wrote:
>>>
>>>>     Hi all,
>>>>
>>>>     I would like to discuss this idea of "open" a bit more; maybe this
>>>>     list is not the right forum and perhaps we can talk about it in the
>>>>     summit.
>>>>
>>>>     Here is a simple example: Does "open" justify my address and
>>>>     how many
>>>>     kids I have being out on a media wiki, because I am part of owasp?
>>>>
>>>>     Now there isn't anything to hide in my inbox or voicemails or skype
>>>>     conversations; quite sad industry reach out information is
>>>>     mostly what
>>>>     you will find.
>>>>
>>>>     But at the same time we have a strong requirement (in industry at
>>>>     least) to work with not so open organisations. Consequently the
>>>>     case
>>>>     of signing an NDA as an individual comes up every so often. Now
>>>>     under
>>>>     this facade of "openness", I have no way of sharing that with even
>>>>     other industry members.
>>>>
>>>>     Ergo, we are pushing for an NDA in industry to have the ability to
>>>>     communicate openly among ourselves. Not to mention an NDA is pretty
>>>>     much standard practice in information security.
>>>>
>>>>     Just to clarify, this is not an attempt to make owasp "closed"; all
>>>>     source code I have ever written is under GPL and all outputs in
>>>>     industry are available to all. Still, if you call me for, say,
>>>>     Tobias
>>>>     number from the IETF, I will check with them before passing that
>>>>     information out.
>>>>
>>>>     Thus the request becomes, can we please be open about what we
>>>>     deliver
>>>>     in web application security. Not minutes and meeting mp3s of
>>>>     catch-up
>>>>     calls and itinerary information. Might even assist in raising
>>>>     quality
>>>>     of output as well!
>>>>
>>>>     Is that too much to ask for?
>>>>
>>>>     Thank you,
>>>>
>>>>     Yiannis
>>>>
>>>>     On 15 January 2011 19:19, Michael Coates
>>>>     <michael.coates at owasp.org <mailto:michael.coates at owasp.org>> wrote:
>>>>>     If you haven't already done so I would really encourage
>>>>>     everyone to take a
>>>>>     look and submit feedback.
>>>>>
>>>>>     http://www.owasp.org/index.php/Core_Values_and_Definitions
>>>>>
>>>>>     We are at a point where we really need to define our core
>>>>>     values and decide
>>>>>     on the direction of OWASP.  This is a major step in that
>>>>>     direction. Let's
>>>>>     make sure we capture the right values and are heading the
>>>>>     right way.
>>>>>     >From the link (which has a feedback submission form you
>>>>>     should use)
>>>>>
>>>>>     OPEN
>>>>>
>>>>>     Everything OWASP is radically transparent from finances to code.
>>>>>
>>>>>     EXPERIMENTATION
>>>>>
>>>>>     OWASP encourages and supports experiments for solutions to
>>>>>     software security
>>>>>     challenges.
>>>>>
>>>>>     GLOBAL
>>>>>
>>>>>     Anyone around the world can participate in the OWASP community.
>>>>>
>>>>>     INTEGRITY
>>>>>
>>>>>     OWASP is an honest and truthful, vendor agnostic, global
>>>>>     community.
>>>>>
>>>>>     Michael Coates
>>>>>     OWASP
>>>>>
>>>>>
>>>>>     On Jan 14, 2011, at 9:53 AM, Thomas Brennan wrote:
>>>>>
>>>>>     Just one of the many internal OWASP Foundation projects
>>>>>     underway has been to
>>>>>     work with a 3rd party management company to unify the update
>>>>>     mission of
>>>>>     OWASP 4.0
>>>>>     Details of the project:
>>>>>     http://www.owasp.org/index.php/Tesauro_Management_Counselors
>>>>>     As a result of PHASE I, I share a milestone, pay close
>>>>>     attention to the
>>>>>     wording.
>>>>>     http://www.owasp.org/index.php/Core_Values_and_Definitions
>>>>>     This is now in RFC to the owasp-leaders with ratification at
>>>>>     the OWASP
>>>>>     Summit at the kick off session. If you have comments
>>>>>     suggestions please use
>>>>>     the feedback provided on the wiki page.
>>>>>     Thank you in advance for your valuable time.
>>>>>     ** If you have not looked recently at the working sessions
>>>>>     take the time to
>>>>>     review hundreds of volunteer man hours have been invested in
>>>>>     the summit so
>>>>>     far for YOU the community
>>>>>     http://www.owasp.org/index.php/Summit_2011 its
>>>>>     going to be amazing!
>>>>>
>>>>>     _______________________________________________
>>>>>     OWASP-Leaders mailing list
>>>>>     OWASP-Leaders at lists.owasp.org
>>>>>     <mailto:OWASP-Leaders at lists.owasp.org>
>>>>>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>>     _______________________________________________
>>>>>     OWASP-Leaders mailing list
>>>>>     OWASP-Leaders at lists.owasp.org
>>>>>     <mailto:OWASP-Leaders at lists.owasp.org>
>>>>>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>     -- 
>>>>     Dr. Yiannis Pavlosoglou
>>>>     OWASP Global Industry Committee
>>>>     http://www.owasp.org/index.php/Global_Industry_Committee
>>>>     _______________________________________________
>>>>     OWASP-Leaders mailing list
>>>>     OWASP-Leaders at lists.owasp.org
>>>>     <mailto:OWASP-Leaders at lists.owasp.org>
>>>>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>>     _______________________________________________
>>>     OWASP-Leaders mailing list
>>>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110116/ae58ee7a/attachment-0001.html 


More information about the OWASP-Leaders mailing list