[Owasp-leaders] OWASP Core Values

James McGovern JMcGovern at virtusa.com
Mon Jan 17 11:46:01 EST 2011

1.       Bottoms up does actually work in “some” organizations where the impediments of writing secure code have already been addressed through other channels. For example, in my past employer developers were given a certain portion of time where they could fix issues that they felt were important. In shops where everything is managed (in the negative sense) then the challenge of the developer doing the right thing is reduced.

2.       Gary McGraw acknowledged in the interview I did with him on the Cigital podcast that the people adopting BSIMM were all executives who came from a software development background. Sadly and increasingly, more and more people who run IT don’t come from a software development background and therefore other approaches may need to be employed. The work that we do that isn’t developer-focused appeals to those who may be auditors which is a role that won’t get you to the CIO slot. The gap here is one of not being able to think about finances and project management and a few projects that help folks out in this regard may be in order. 

3.       I really hate debates on top-down vs. bottoms-up as it only demands someone to argue middle-out. With that being said, the distinction that may be important to noodle is that developers can remediate applications using frameworks but this doesn’t result in a sustainable approach. Likewise, a CIO can use all that audit stuff but only has a short lifespan which also doesn’t result in anything sustainable. The folks with the right agenda who are responsible for sustainability is the folks that do Enterprise Architecture and we have absolutely no offering for them.


James McGovern

Virtusa Corporation



From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Rex Booth
Sent: Sunday, January 16, 2011 7:06 PM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] OWASP Core Values


I respectfully disagree.

I think Mike is right in one respect: "What is the end result from a developer's perspective that you're trying to achieve with something. "  This is very true, and it's also why working security in through grassroots and bottom-up approaches has failed time and time again - and will continue to fail.

Tools like ESAPI and other developer-oriented projects are necessary and valuable components to our mission.  They clearly make it easier for the developer to incorporate security into their application.  But what happens when the developers simply don't care?  As Mike said, unless it's a functional requirement, it's likely not going to get their attention.

The real driver for the widespread recognition of the need for security is a top-down approach.  Working with the application owners, standards bodies, and auditing organizations is absolutely key to realizing our mission.  Those who dismiss such efforts are missing the bigger picture and clearly don't understand the IT ecosystem outside of the technical lifecycle.

Is there room for improvement?  Absolutely.  But let's be respectful of the wide variety of activities required by OWASP in order for us to effectively pursue our mission - both technical and non-technical.



Virtusa was recently ranked and featured in 2010 Deloitte Technology Fast 500, 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100 sub-list and 2010 FinTech 100 among others.


This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is intended for the addressee only. Any unauthorized disclosure, use, dissemination, copying, or distribution of this message or any of its attachments or the information contained in this e-mail, or the taking of any action based on it, is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail and delete this message.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110117/6f5e67f4/attachment.html 

More information about the OWASP-Leaders mailing list