[Owasp-leaders] OWASP Core Values

James McGovern JMcGovern at virtusa.com
Mon Jan 17 09:30:59 EST 2011

1.       Mike, I love the thought of an Agile focused SAMM. What I love
even more is simply encouraging the infosec profession at large to
understand and adopt Agile values. Is our audit practices in any way
aligned with agile values? I think we need to focus agile thinking on
ISACA encouraged practices as the starting point.

2.       For those who believe in Agile, do we think that the challenges
of developers working on developing secure applications is more of a
matter of things advocated in XP (such as test harnesses) or more about
project management stuff (like having a sprint dedicated to security).
This should guide us to a better point.

3.       Do we champion approaches such as Protection Poker as a
replacement/supplement to the OWASP risk rating method?

4.       Can we flip the NDA on its head and figure out the notion of an
Open NDA? There are a few things we want to keep secret (distinct from
keeping closed) while there are other things we want to put on blast and
would love to have others amplify (Echo chambers do help with top-down)


James McGovern

Virtusa Corporation


From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Mike
Sent: Sunday, January 16, 2011 2:02 PM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] OWASP Core Values


Ick. That's what I have to say to this and many recent threads, the past
year or so. 


Give me freaking STANDARDS and READY TO USE tools that I can use to make
fixes and point others to as THE basis for instructing others to put
controls into place. Where is a freaking Agile-focused SAMM, to use a
different example than ASVS or ESAPI. I don't care about anything else
as far as OWASP or any industry organization is concerned. I'm not here
to make friends, I am non-plussed with the comparatively recent
disproportionate emphasis on building echo chambers to borrow a phrase
from a recent thread of ever-larger size, doesn't help me do my job.


I don't give a fudge about whether or not there exists a committee for
this or that. No freaking way I'm signing NDAs, just go ahead and delete
me from this list and others already if that's where you're going. My
stars. It's not rocket science why the vast majority of developers and
application owners don't care about OWASP. Stop. Focus. What is the end
result from a developer's perspective that you're trying to achieve with
something. Execute. If you're not helping Joe Developer achieve a
specific result to make a fix or to hold onto a painfully-achieved
security posture you're wasting your and their time.




On Sun, Jan 16, 2011 at 9:32 AM, Thomas Brennan <tomb at owasp.org> wrote:

Personally I am not interested in signing any documentation
(Non-Disclosure Agreement(s)) for any OWASP Foundation efforts, projects
etc.  If people need and want help we're here to do that publicly with
meetings, meeting mins., topics etc., mailing lists and collaborate as
such. You will see this first hand at the summit Yiannis - it's NOT the
loudest voice in the room it is by consensus when the facts of been
presented by both sides but very much governed by the Code of Ethics and
Principals http://www.owasp.org/index.php/About_OWASP#Code_of_Ethics


Commercial ventures are very different - as a example if I need to sign
1000 NDA's for my work with Trustwave, Spiderlabs related to customer
projects no problem, that is part of mutual trust in a confidential
business matter with the customers and partners. At OWASP I like that we
don't have this issue personally.


Loose Lips do, to Sink Ships however.   The reality and personal
integrity of its members and as a group is how we arrived at the below




Look forward to the reading of the feedback form(s) provided above at
the Summit to start the discussion and with rough consensus.







On Jan 15, 2011, at 10:14 PM, Yiannis Pavlosoglou wrote:

Hi all,

I would like to discuss this idea of "open" a bit more; maybe this
list is not the right forum and perhaps we can talk about it in the

Here is a simple example: Does "open" justify my address and how many
kids I have being out on a media wiki, because I am part of owasp?

Now there isn't anything to hide in my inbox or voicemails or skype
conversations; quite sad industry reach out information is mostly what
you will find.

But at the same time we have a strong requirement (in industry at
least) to work with not so open organisations. Consequently the case
of signing an NDA as an individual comes up every so often. Now under
this facade of "openness", I have no way of sharing that with even
other industry members.

Ergo, we are pushing for an NDA in industry to have the ability to
communicate openly among ourselves. Not to mention an NDA is pretty
much standard practice in information security.

Just to clarify, this is not an attempt to make owasp "closed"; all
source code I have ever written is under GPL and all outputs in
industry are available to all. Still, if you call me for, say, Tobias
number from the IETF, I will check with them before passing that
information out.

Thus the request becomes, can we please be open about what we deliver
in web application security. Not minutes and meeting mp3s of catch-up
calls and itinerary information. Might even assist in raising quality
of output as well!

Is that too much to ask for?

Thank you,


On 15 January 2011 19:19, Michael Coates <michael.coates at owasp.org>

If you haven't already done so I would really encourage everyone to take

	look and submit feedback.




	We are at a point where we really need to define our core values
and decide

	on the direction of OWASP.  This is a major step in that
direction. Let's

	make sure we capture the right values and are heading the right

	>From the link (which has a feedback submission form you should




	Everything OWASP is radically transparent from finances to code.




	OWASP encourages and supports experiments for solutions to
software security





	Anyone around the world can participate in the OWASP community.




	OWASP is an honest and truthful, vendor agnostic, global


	Michael Coates




	On Jan 14, 2011, at 9:53 AM, Thomas Brennan wrote:


	Just one of the many internal OWASP Foundation projects underway
has been to

	work with a 3rd party management company to unify the update
mission of

	OWASP 4.0

	Details of the project:


	As a result of PHASE I, I share a milestone, pay close attention
to the



	This is now in RFC to the owasp-leaders with ratification at the

	Summit at the kick off session. If you have comments suggestions
please use

	the feedback provided on the wiki page.

	Thank you in advance for your valuable time.

	** If you have not looked recently at the working sessions take
the time to

	review hundreds of volunteer man hours have been invested in the
summit so

	far for YOU the community
http://www.owasp.org/index.php/Summit_2011 its

	going to be amazing!



	OWASP-Leaders mailing list

	OWASP-Leaders at lists.owasp.org





	OWASP-Leaders mailing list

	OWASP-Leaders at lists.owasp.org




Dr. Yiannis Pavlosoglou
OWASP Global Industry Committee
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org


OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org


Virtusa was recently ranked and featured in 2010 Deloitte Technology Fast 500, 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100 sub-list and 2010 FinTech 100 among others.


This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is intended for the addressee only. Any unauthorized disclosure, use, dissemination, copying, or distribution of this message or any of its attachments or the information contained in this e-mail, or the taking of any action based on it, is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail and delete this message.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110117/d517d6ce/attachment-0001.html 

More information about the OWASP-Leaders mailing list