[Owasp-leaders] What is the problem with http://security.stackexchange.com/

Dennis Groves dennis.groves at owasp.org
Thu Jan 26 15:37:37 UTC 2012


Here is the thing, it is better to focus on solutions. Vulns are like blacklists, Solutions are like whitelists -  

Enumeration of vulns is a lot like masturbation - it feels great but doesn't accomplish much.

Solutions on the other hand create great value; additionally there is not any debate about discussing them, responsible disclosure of solutions nor any other bull-shit.   

Focus on solutions - change the game, make the world a better place. :-)


--
Dennis Groves (http://about.me/dennis.groves), MSc
dennis.groves at gmail.com (mailto:dennis.groves at gmail.com)



On Thursday, 26 January 2012 at 15:08, John Wilander wrote:

> Do we know if developers etc shy away from asking security questions in the open? I've certainly been in situations where I'd like to get the community's opinion but I didn't want to expose the customer/team/project.
>  
> Stack Exchange is a very exposing place. An OWASP forum might be less so.
>  
> It's like demoing vulnerabilities. We do that within our community because everybody knows the rules of the game (full disclosure, responsible disclosure, what's known and what's not). But we probably hesitate demoing the same way to the general public. At OWASP AppSec I might demo CSRF against a real site whereas I do it against WebGoat in other circumstances.
>  
> What I'm trying to say is an OWASP forum might get more honest, detailed questions whereas Stack Exchange attracts open security questions replied to with a mandatory pissing contest.
>  
> Regards, John
>  
> --  
> My music http://www.johnwilander.com
> Twitter https://twitter.com/johnwilander
> CV or Résumé http://johnwilander.se
>  
> 26 jan 2012 kl. 15:41 skrev dinis cruz <dinis.cruz at owasp.org (mailto:dinis.cruz at owasp.org)>:
>  
> > I think we tried that originally and it got merged with the general security one
> >  
> > Dinis Cruz
> >  
> > On 26 Jan 2012, at 14:39, Thomas Brennan <tomb at owasp.org (mailto:tomb at owasp.org)> wrote:
> >  
> > > We (OWASP) could ask for appsec.stackexchange and volunteer to moderate/sponsor its shared goal
> > >  
> > > Semper Fi,
> > >  
> > > Tom Brennan
> > > http://www.linkedin.com/in/tombrennan
> > > 9732020122
> > >  
> > > On Jan 26, 2012, at 9:34 AM, Rory Mccune <rorym at nmrconsult.net (mailto:rorym at nmrconsult.net)> wrote:
> > >  
> > > > Hi all,
> > > >  
> > > > I'd say that security stackexchange is a good option. Ive been a user of it more or less since launch and the community is pretty good, the mods are reasonable and it's a free service, so no questions of content being restricted to paying members.
> > > >  
> > > > Definitely additional oomph from owasp membership would be great.
> > > >  
> > > > The referrals from stackoverflow and other stack exchange sites are useful as people who ask security related questions can be easily redirected without losing context and also if a offtopic question comes up in the forum it can be moved without just closing it down.
> > > >  
> > > >  
> > > > Cheers
> > > >  
> > > > Rory
> > > >  
> > > > Sent from my iPad
> > > >  
> > > > On 26 Jan 2012, at 13:50, Chris Schmidt <chris.schmidt at owasp.org (mailto:chris.schmidt at owasp.org)> wrote:
> > > >  
> > > > > experts-exchange is a pay service, I would recommend staying away from.
> > > > >  
> > > > > I am curious what is wrong with stack-exchange as well. This sounds like
> > > > > *exactly* what the intent of that experiment was. I haven't been there
> > > > > for a few weeks, but last I checked people were still actively using it
> > > > > as well. With a little additional oomph from the OWASP membership I
> > > > > think that it could become very active. Stack exchange already ranks
> > > > > extremely well in search results so for the majority of people who
> > > > > google their questions, I think this is a better solution all the way
> > > > > around.
> > > > >  
> > > > > Additionally, there is already an OWASP irc channel that we could start
> > > > > promoting as a place to come ask questions to, right now it is usually
> > > > > just a few of us lurkers but we do occasionally get people in who have
> > > > > security questions.
> > > > >  
> > > > > On 1/26/2012 5:33 AM, Achim wrote:
> > > > > > another one is experts-exchange.com (http://experts-exchange.com) which has an established user management, supports
> > > > > > forum with mail notifications (also chat IIRC), has some kind of round table,
> > > > > > and the questions and answers are "moderated".
> > > > > >  
> > > > > > Just my 2 pence,
> > > > > > Achim
> > > > > >  
> > > > > > Am 26.01.2012 10:47, schrieb dinis cruz:
> > > > > > > And why don't we use it?
> > > > > > >  
> > > > > > > There are clearly a couple issues with it, or we would be using it.
> > > > > > >  
> > > > > > > Can we identify them? (so that we learn from the past)
> > > > > > >  
> > > > > > > Dinis Cruz
> > > > > > > _______________________________________________
> > > > > > > OWASP-Leaders mailing list
> > > > > > > OWASP-Leaders at lists.owasp.org (mailto:OWASP-Leaders at lists.owasp.org)
> > > > > > > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> > > > > >  
> > > > > >  
> > > > > > _______________________________________________
> > > > > > OWASP-Leaders mailing list
> > > > > > OWASP-Leaders at lists.owasp.org (mailto:OWASP-Leaders at lists.owasp.org)
> > > > > > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> > > > >  
> > > > >  
> > > > > _______________________________________________
> > > > > OWASP-Leaders mailing list
> > > > > OWASP-Leaders at lists.owasp.org (mailto:OWASP-Leaders at lists.owasp.org)
> > > > > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> > > >  
> > > >  
> > > > _______________________________________________
> > > > OWASP-Leaders mailing list
> > > > OWASP-Leaders at lists.owasp.org (mailto:OWASP-Leaders at lists.owasp.org)
> > > > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> > >  
> > >  
> > > _______________________________________________
> > > OWASP-Leaders mailing list
> > > OWASP-Leaders at lists.owasp.org (mailto:OWASP-Leaders at lists.owasp.org)
> > > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >  
> >  
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org (mailto:OWASP-Leaders at lists.owasp.org)
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>  
>  
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org (mailto:OWASP-Leaders at lists.owasp.org)
> https://lists.owasp.org/mailman/listinfo/owasp-leaders





More information about the OWASP-Leaders mailing list