[Owasp-leaders] 2012 Rugged Summit

Jeff Williams jeff.williams at owasp.org
Thu Aug 30 20:41:58 UTC 2012


Hi Jerry,

I don't see Rugged as a reformulation of *anything* people are already doing.  Many traditional activities are valuable, but there are an awful lot that don't end up producing any value.  That is, they're disconnected from what the business needs.

Rugged is focused on generating a software development culture that produces security in a tangible defensible way. As Denzel said in Training Day, "it's not what you know -- it's what you can prove"

Think about the security story for any website on the planet.  I guarantee if you capture it, it will reveal gaps.  And over time it will drive the communication you need to improve your organization.  This is the "visible" that OWASP should champion.

I hope you'll try it.  I'm happy to help anyone interested create a security story and start "Thinking in Rugged"

--Jeff



On Aug 30, 2012, at 4:18 PM, "Tom Brennan" <tomb at owasp.org> wrote:

> Good feedback -- cc to the guys leading the effort. 
> 
> A suggestion was already floated on getting it up on a wiki hmmm I know a group that has a wiki *cough* https://www.owasp.org/index.php/Category:OWASP_RuggedSoftware  -- for community review and contribution to sections or to take inbound feedback for Version 5.0 or a another working group that is open to anyone who wants to attend and contribute.
> 
> Will relay what we hear to the list; poke the badgers, bears and ice-T @ http://www.ruggedsoftware.org/about.html  
> 
> 
> 
> -----Original Message-----
> From: Jerry Hoff [mailto:jerry at owasp.org] 
> Sent: Thursday, August 30, 2012 2:24 PM
> To: tomb at owasp.org
> Cc: <owasp-leaders at lists.owasp.org>
> Subject: Re: [Owasp-leaders] 2012 Rugged Summit
> 
> Hello all,
> 
> Nice work! Although my first reaction was: Honey badgers? Ice-T? Seriously? 
> 
> I think this is an interesting document - but I hope as an organization and as an industry we focus on reproducible best practices, quantitative metrics and real data behind works such as this one, rather than yet another reformulation / restatement of the same basic advice we as an industry have been preaching over the years.
> 
> A guide such as this coming out of actual metrics and real-world best practices would be much more appealing. The blurbish case studies at the end should have driven the document, instead of the other way around. 
> 
> Not trying to be antagonistic - just food for thought. 
> 
> Jerry
> 
> 
> 
> 
> 
> On Aug 30, 2012, at 1:49 PM, "Tom Brennan" <tomb at owasp.org> wrote:
> 
>> A Software Security Philosophy *RELEASED* 2012-Aug is creating quite a buzz around in a very short time -- this was a HOT TOPIC at last week's DHS / US-CERT event in the USA.
>> 
>> http://www.ruggedsoftware.org/docs/RuggedHandbookv4.pdf
>> 
>> In summary a group of well-known participants spent a week together, developing the details; kudos to them for volunteering their time with attribution to OWASP
>> 
>>  Justin Berman
>>  John Bernero
>>  Nick Coblentz
>>  Josh Corman
>>  Gene Kim
>>  Jason Li
>>  John Pavone
>>  Ken van Wyk
>>  John Wilander
>>  Jeff Williams
>>  Chris Wysopal
>> 
>> If you would like to get involved see:  http://www.ruggedsoftware.org/about.html
>> 
>> 
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list