[Owasp-leaders] OWASP Core Values

James McGovern JMcGovern at virtusa.com
Mon Jan 17 09:30:59 EST 2011


1.       Mike, I love the thought of an Agile focused SAMM. What I love
even more is simply encouraging the infosec profession at large to
understand and adopt Agile values. Is our audit practices in any way
aligned with agile values? I think we need to focus agile thinking on
ISACA encouraged practices as the starting point.

2.       For those who believe in Agile, do we think that the challenges
of developers working on developing secure applications is more of a
matter of things advocated in XP (such as test harnesses) or more about
project management stuff (like having a sprint dedicated to security).
This should guide us to a better point.

3.       Do we champion approaches such as Protection Poker as a
replacement/supplement to the OWASP risk rating method?

4.       Can we flip the NDA on its head and figure out the notion of an
Open NDA? There are a few things we want to keep secret (distinct from
keeping closed) while there are other things we want to put on blast and
would love to have others amplify (Echo chambers do help with top-down)

 

James McGovern
http://twitter.com/McGovernTheory

Virtusa Corporation

 

From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Mike
Boberski
Sent: Sunday, January 16, 2011 2:02 PM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] OWASP Core Values

 

Ick. That's what I have to say to this and many recent threads, the past
year or so. 

 

Give me freaking STANDARDS and READY TO USE tools that I can use to make
fixes and point others to as THE basis for instructing others to put
controls into place. Where is a freaking Agile-focused SAMM, to use a
different example than ASVS or ESAPI. I don't care about anything else
as far as OWASP or any industry organization is concerned. I'm not here
to make friends, I am non-plussed with the comparatively recent
disproportionate emphasis on building echo chambers to borrow a phrase
from a recent thread of ever-larger size, doesn't help me do my job.

 

I don't give a fudge about whether or not there exists a committee for
this or that. No freaking way I'm signing NDAs, just go ahead and delete
me from this list and others already if that's where you're going. My
stars. It's not rocket science why the vast majority of developers and
application owners don't care about OWASP. Stop. Focus. What is the end
result from a developer's perspective that you're trying to achieve with
something. Execute. If you're not helping Joe Developer achieve a
specific result to make a fix or to hold onto a painfully-achieved
security posture you're wasting your and their time.

 

Mike

 

On Sun, Jan 16, 2011 at 9:32 AM, Thomas Brennan <tomb at owasp.org> wrote:

Personally I am not interested in signing any documentation
(Non-Disclosure Agreement(s)) for any OWASP Foundation efforts, projects
etc.  If people need and want help we're here to do that publicly with
meetings, meeting mins., topics etc., mailing lists and collaborate as
such. You will see this first hand at the summit Yiannis - it's NOT the
loudest voice in the room it is by consensus when the facts of been
presented by both sides but very much governed by the Code of Ethics and
Principals http://www.owasp.org/index.php/About_OWASP#Code_of_Ethics

 

Commercial ventures are very different - as a example if I need to sign
1000 NDA's for my work with Trustwave, Spiderlabs related to customer
projects no problem, that is part of mutual trust in a confidential
business matter with the customers and partners. At OWASP I like that we
don't have this issue personally.

 

Loose Lips do, to Sink Ships however.   The reality and personal
integrity of its members and as a group is how we arrived at the below
statement:

 

http://www.owasp.org/index.php/Core_Values_and_Definitions

 

Look forward to the reading of the feedback form(s) provided above at
the Summit to start the discussion and with rough consensus.

 

-Brennan

 

 

 

 

On Jan 15, 2011, at 10:14 PM, Yiannis Pavlosoglou wrote:





Hi all,

I would like to discuss this idea of "open" a bit more; maybe this
list is not the right forum and perhaps we can talk about it in the
summit.

Here is a simple example: Does "open" justify my address and how many
kids I have being out on a media wiki, because I am part of owasp?

Now there isn't anything to hide in my inbox or voicemails or skype
conversations; quite sad industry reach out information is mostly what
you will find.

But at the same time we have a strong requirement (in industry at
least) to work with not so open organisations. Consequently the case
of signing an NDA as an individual comes up every so often. Now under
this facade of "openness", I have no way of sharing that with even
other industry members.

Ergo, we are pushing for an NDA in industry to have the ability to
communicate openly among ourselves. Not to mention an NDA is pretty
much standard practice in information security.

Just to clarify, this is not an attempt to make owasp "closed"; all
source code I have ever written is under GPL and all outputs in
industry are available to all. Still, if you call me for, say, Tobias
number from the IETF, I will check with them before passing that
information out.

Thus the request becomes, can we please be open about what we deliver
in web application security. Not minutes and meeting mp3s of catch-up
calls and itinerary information. Might even assist in raising quality
of output as well!

Is that too much to ask for?

Thank you,

Yiannis

On 15 January 2011 19:19, Michael Coates <michael.coates at owasp.org>
wrote:



If you haven't already done so I would really encourage everyone to take
a

	look and submit feedback.

	 

	http://www.owasp.org/index.php/Core_Values_and_Definitions

	 

	We are at a point where we really need to define our core values
and decide

	on the direction of OWASP.  This is a major step in that
direction. Let's

	make sure we capture the right values and are heading the right
way.

	>From the link (which has a feedback submission form you should
use)

	 

	OPEN

	 

	Everything OWASP is radically transparent from finances to code.

	 

	EXPERIMENTATION

	 

	OWASP encourages and supports experiments for solutions to
software security

	challenges.

	 

	GLOBAL

	 

	Anyone around the world can participate in the OWASP community.

	 

	INTEGRITY

	 

	OWASP is an honest and truthful, vendor agnostic, global
community.

	 

	Michael Coates

	OWASP

	 

	 

	On Jan 14, 2011, at 9:53 AM, Thomas Brennan wrote:

	 

	Just one of the many internal OWASP Foundation projects underway
has been to

	work with a 3rd party management company to unify the update
mission of

	OWASP 4.0

	Details of the project:

	http://www.owasp.org/index.php/Tesauro_Management_Counselors

	As a result of PHASE I, I share a milestone, pay close attention
to the

	wording.

	http://www.owasp.org/index.php/Core_Values_and_Definitions

	This is now in RFC to the owasp-leaders with ratification at the
OWASP

	Summit at the kick off session. If you have comments suggestions
please use

	the feedback provided on the wiki page.

	Thank you in advance for your valuable time.

	** If you have not looked recently at the working sessions take
the time to

	review hundreds of volunteer man hours have been invested in the
summit so

	far for YOU the community
http://www.owasp.org/index.php/Summit_2011 its

	going to be amazing!

	 

	_______________________________________________

	OWASP-Leaders mailing list

	OWASP-Leaders at lists.owasp.org

	https://lists.owasp.org/mailman/listinfo/owasp-leaders

	 

	 

	_______________________________________________

	OWASP-Leaders mailing list

	OWASP-Leaders at lists.owasp.org

	https://lists.owasp.org/mailman/listinfo/owasp-leaders

	 

	 




-- 
Dr. Yiannis Pavlosoglou
OWASP Global Industry Committee
http://www.owasp.org/index.php/Global_Industry_Committee
_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders

 


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders

 


Virtusa was recently ranked and featured in 2010 Deloitte Technology Fast 500, 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100 sub-list and 2010 FinTech 100 among others.

---------------------------------------------------------------------------------------------

This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is intended for the addressee only. Any unauthorized disclosure, use, dissemination, copying, or distribution of this message or any of its attachments or the information contained in this e-mail, or the taking of any action based on it, is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail and delete this message.

---------------------------------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110117/d517d6ce/attachment-0001.html 


More information about the OWASP-Leaders mailing list