[Owasp-leaders] Solutions

Sethi, Rohit rohit at securitycompass.com
Mon Jan 24 14:17:40 EST 2011


While we're on the page of thinking about solutions & changes to reach developers, I think it's worth thinking about how the distinction between domain-specific (i.e. business logic) and domain agnostic (i.e. other/technical) threats should affect OWASP projects.

We've written at article about it here: http://labs.securitycompass.com/index.php/2011/01/21/domain-driven-security/
And we've cross-posted to the OpenSAMM blog: https://www.opensamm.org/2011/01/

Explicitly categorizing threats as domain-specific, domain-agnostic, or both in efforts such as the Top 10 or ASVS might be something to think about.

Thanks,

Rohit Sethi
Vice President, Product Development
Security Compass
http://www.securitycompass.com<http://www.securitycompass.com/>
Twitter: rksethi

From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Thomas Brennan
Sent: Thursday, January 20, 2011 4:51 PM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Solutions

Tomato Tomäto  you putting together a list of names for marketing of those firms that have have helped build the solution - i say we start with the global supporting organizations

http://www.owasp.org/index.php/Membership#Current_OWASP_Organization_Supporters_.26_Individual_Members

and have them broken down into categories so people can rate them in a public light on work performed etc..   Oh wait... that is what Security Scoreboard http://www.securityscoreboard.com does TODAY as a commercial venture and just got funding

Does OWASP from this and duplicate? Do we give a OWASP Member logo like we speak CWE like MITRE does to those that are in the family?  Other...    Good summit topic agree.



On Jan 20, 2011, at 4:44 PM, dinis cruz wrote:


I agree with Mike on the need to have a Commercial Registry, the problem is how we do it and how do we keep 'marketing speak' out of it.

If there is enough interest and energy, this is definitely worth a Summit's working session

Dinis Cruz

On 20 Jan 2011, at 15:59, Mike Boberski <mike.boberski at gmail.com<mailto:mike.boberski at gmail.com>> wrote:
Put the commercial services registry back to make it easy to shop for paid support.

People know how to charge for services and run their businesses on their own.

People don't offer services until consumers ask for them, and for that to happen they need to know where to look. People are otherwise earning a living doing things the way they've always done just fine.

Mike

On Wed, Jan 19, 2011 at 11:42 AM, dinis cruz <dinis.cruz at owasp.org<mailto:dinis.cruz at owasp.org>> wrote:
The comment on the need to have 'commercial support for OWASP project XYZ' is absolutely critical for a number of OWASP projects to go to the next level.

I have done quite a lot thinking about this, and am trying with the OWASP O2 Platform project (that I'm leading) to create a model that others can use. See http://o2platform.com/wiki/O2_Commercial_Services#O2_Subscriptions for more details (if others feel the time is right to talk about this, lets add a working session to the Summit and figure out a plan (I have a lot of ideas and data to share on this topic)).

Some OWASP projects that need this type of Commercial Service support ASAP are: WebGoat, WebScarab, ESAPI, ZedProxy, Legal Project, OWASP Academies, Education Project, OpenSAMM, ASVS, The Guides Trillogy (Testing, Code and Developer), etc...

Note that the uptake of O2 subscriptions has been quite small, and one of the main issues still to be resolved is how should this type of services be represented at owasp.org<http://owasp.org/> website? This is a reflection of the size of the O2 Platform Community and the commitment that it requires from adopting companies to use it internally (other OWASP projects should have a much easier 'sale')

OWASP is not set-up to provide this type of services, and in my view, should never be. What OWASP needs is a vibrant community of commercial companies providing commercial support around OWASP projects, and then let the market decide who should get the business.

Dinis Cruz

On 19 January 2011 16:30, Jerry Hoff <jerry at jerryhoff.net<mailto:jerry at jerryhoff.net>> wrote:
Hi All,

I also had a few questions on this:


>>6) ESAPI, CSRFGuard, AntiSamy and other key "builder" projects get
full-time technical resources to drive the projects to production
quality (in terms of docs, too)
Documentation is definitely a good thing, but I think what's really holding back most of these projects from more universal adoption is lack of paid support.  I've suggested the use of all three of these libraries above to clients - large clients have one question - can we get paid support?  They would not even entertain the idea of using these tools on their critical applications without someone they can call for a fix if the tools mess things up down the road.

Of course, they use other open source tools as well (apache, log4j, etc...) - but those projects usually have voluminous documentation and a large community of developers and users.  We have dedicated developers working on this (for Java ESAPI at least - some of the other ESAPIs seem a bit abandoned...) , and we have a mailing list for ESAPI, but for many large corporations, that's not going to be enough.   They want paid support, which is not something owasp can offer, i believe.

If OWASP was going to invest in full timers, I think it would be more beneficial to have technical writers buffing out articles (a noticeable percentage of articles have quite a few TBDs, and the developer's guide 2.0 - a cornerstone project - apparently hasn't been updated since March 25, 2010 (according to the it's Google Code repository: http://code.google.com/p/owasp-development-guide/wiki/Guide - apologies if it's being updated offline).  That puppy should be updated weekly to reflect the ever growing repository of collective appsec knowledge.

So more than tools - people come to OWASP for guidance - and the documented guidance should be in better shape.   That's how you'll win more hearts and minds.

Respectfully,
Jerry Hoff




On Wed, Jan 19, 2011 at 11:51 PM, James McGovern <JMcGovern at virtusa.com<mailto:JMcGovern at virtusa.com>> wrote:
A few questions/thoughts

1. If OWASP increases the amount of full-time employees in order to
support projects, how much more dollars would we have to take in on an
annual basis?
2. Since OWASP is incorporated in the United States, would there be
extra challenges in having employees who aren't US authorized workers?
3. Why would we limit our thinking to just technical staff? I am of the
belief that it would be actually better to have dedicated PR in order to
help spread the word as first course of action

James McGovern
http://twitter.com/McGovernTheory
Virtusa Corporation


-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org<mailto:owasp-leaders-bounces at lists.owasp.org>
[mailto:owasp-leaders-bounces at lists.owasp.org<mailto:owasp-leaders-bounces at lists.owasp.org>] On Behalf Of Jim Manico
Sent: Monday, January 17, 2011 9:45 PM
To: owasp-leaders at lists.owasp.org<mailto:owasp-leaders at lists.owasp.org>
Subject: [Owasp-leaders] Solutions

I received a few off-list emails in support of some of my last few
emails to the leaders list. However...

I really need to stop my OWASP-attacking emails, especially when
I'm not presenting clear solutions.

So I would like to take a moment to share my future vision of OWASP with
you. This is just one mans subjective opinion. I hope this is good
"grist for the mill" in prep for the summit.

1) OWASP Board focuses primarily on fundraising
2) We hire new full time technical staff members working for OWASP
3) We have a smaller number of projects with a higher level of
commitment to production quality (Focus, Daniel-san)
4) Quarterly updates of key standard-based projects (ASVS and other
OWASP emerging standards)
5) New website with clear paths for Developers, Assessment Specialists,
and Managers (Under way)
6) ESAPI, CSRFGuard, AntiSamy and other key "builder" projects get
full-time technical resources to drive the projects to production
quality (in terms of docs, too)
7) OWASP releases objective tool studies on a bi-yearly basis. I think
we are well situated to provide advice and analysis (as well as real
metrics) on the capabilities of different SAST/DAST products (if we had
full time dedicated resources)

Please note, I hope to achieve "eccentric millionaire" status in a few
years so I can help fund all of this. I have the "eccentric" part down.
I'm working on the other half now. :)

Cheers all. Looking forward to seeing you at the summit in Portugal.

- Jim
_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-leaders
Virtusa was recently ranked and featured in 2010 Deloitte Technology Fast 500, 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100 sub-list and 2010 FinTech 100 among others.

---------------------------------------------------------------------------------------------

This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is intended for the addressee only. Any unauthorized disclosure, use, dissemination, copying, or distribution of this message or any of its attachments or the information contained in this e-mail, or the taking of any action based on it, is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail and delete this message.

---------------------------------------------------------------------------------------------
_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-leaders


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-leaders


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-leaders

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-leaders
_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110124/2243443f/attachment-0001.html 


More information about the OWASP-Leaders mailing list