[Owasp-leaders] What is the problem with http://security.stackexchange.com/

Chris Schmidt chris.schmidt at owasp.org
Thu Jan 26 16:39:00 UTC 2012


Touche' - I concede that fact if the search is phrased correctly. Is the
developer experience the same? My gut says no, otherwise we wouldn't
even be having this conversation :)

On 1/26/2012 9:09 AM, Michael Coates wrote:
> "leveraging stellar search ranking provided by a provider that has
already put in the miles to get their results in the top ten."
>
> OWASP.org - already in the top results :)
>
>
> Michael Coates
> OWASP
> michael.coates at owasp.org
>
>
>
> On Jan 26, 2012, at 7:50 AM, Chris Schmidt wrote:
>
>> This is the most awesome post on the list so far this year!
>>
>> I completely agree with Dennis here. Developers are looking for
>> solutions when they google a problem, not a description of the problem -
>> how it works - and what it means. They may bookmark that information and
>> go back to it at a later date, but when they search for "How do I fix
>> CSRF" they are looking for the answer and in my experience will grab the
>> first one they come across. Our goal should be to get the *correct*
>> solutions in front of devs, in order to do that we should be leveraging
>> stellar search ranking provided by a provider that has already put in
>> the miles to get their results in the top ten.
>>
>> On 1/26/2012 8:37 AM, Dennis Groves wrote:
>>> Here is the thing, it is better to focus on solutions. Vulns are like
blacklists, Solutions are like whitelists -
>>>
>>> Enumeration of vulns is a lot like masturbation - it feels great but
doesn't accomplish much.
>>>
>>> Solutions on the other hand create great value; additionally there is
not any debate about discussing them, responsible disclosure of
solutions nor any other bull-shit.
>>>
>>> Focus on solutions - change the game, make the world a better place. :-)
>>>
>>>
>>> --
>>> Dennis Groves (http://about.me/dennis.groves), MSc
>>> dennis.groves at gmail.com (mailto:dennis.groves at gmail.com)
>>>
>>>
>>>
>>> On Thursday, 26 January 2012 at 15:08, John Wilander wrote:
>>>
>>>> Do we know if developers etc shy away from asking security questions
in the open? I've certainly been in situations where I'd like to get the
community's opinion but I didn't want to expose the customer/team/project.
>>>>
>>>> Stack Exchange is a very exposing place. An OWASP forum might be
less so.
>>>>
>>>> It's like demoing vulnerabilities. We do that within our community
because everybody knows the rules of the game (full disclosure,
responsible disclosure, what's known and what's not). But we probably
hesitate demoing the same way to the general public. At OWASP AppSec I
might demo CSRF against a real site whereas I do it against WebGoat in
other circumstances.
>>>>
>>>> What I'm trying to say is an OWASP forum might get more honest,
detailed questions whereas Stack Exchange attracts open security
questions replied to with a mandatory pissing contest.
>>>>
>>>> Regards, John
>>>>
>>>> --
>>>> My music http://www.johnwilander.com
>>>> Twitter https://twitter.com/johnwilander
>>>> CV or Résumé http://johnwilander.se
>>>>
>>>> 26 jan 2012 kl. 15:41 skrev dinis cruz <dinis.cruz at owasp.org
(mailto:dinis.cruz at owasp.org)>:
>>>>
>>>>> I think we tried that originally and it got merged with the general
security one
>>>>>
>>>>> Dinis Cruz
>>>>>
>>>>> On 26 Jan 2012, at 14:39, Thomas Brennan <tomb at owasp.org
(mailto:tomb at owasp.org)> wrote:
>>>>>
>>>>>> We (OWASP) could ask for appsec.stackexchange and volunteer to
moderate/sponsor its shared goal
>>>>>>
>>>>>> Semper Fi,
>>>>>>
>>>>>> Tom Brennan
>>>>>> http://www.linkedin.com/in/tombrennan
>>>>>> 9732020122
>>>>>>
>>>>>> On Jan 26, 2012, at 9:34 AM, Rory Mccune <rorym at nmrconsult.net
(mailto:rorym at nmrconsult.net)> wrote:
>>>>>>
>>>>>>> Hi all,
>>>>>>>
>>>>>>> I'd say that security stackexchange is a good option. Ive been a
user of it more or less since launch and the community is pretty good,
the mods are reasonable and it's a free service, so no questions of
content being restricted to paying members.
>>>>>>>
>>>>>>> Definitely additional oomph from owasp membership would be great.
>>>>>>>
>>>>>>> The referrals from stackoverflow and other stack exchange sites
are useful as people who ask security related questions can be easily
redirected without losing context and also if a offtopic question comes
up in the forum it can be moved without just closing it down.
>>>>>>>
>>>>>>>
>>>>>>> Cheers
>>>>>>>
>>>>>>> Rory
>>>>>>>
>>>>>>> Sent from my iPad
>>>>>>>
>>>>>>> On 26 Jan 2012, at 13:50, Chris Schmidt <chris.schmidt at owasp.org
(mailto:chris.schmidt at owasp.org)> wrote:
>>>>>>>
>>>>>>>> experts-exchange is a pay service, I would recommend staying
away from.
>>>>>>>>
>>>>>>>> I am curious what is wrong with stack-exchange as well. This
sounds like
>>>>>>>> *exactly* what the intent of that experiment was. I haven't been
there
>>>>>>>> for a few weeks, but last I checked people were still actively
using it
>>>>>>>> as well. With a little additional oomph from the OWASP membership I
>>>>>>>> think that it could become very active. Stack exchange already ranks
>>>>>>>> extremely well in search results so for the majority of people who
>>>>>>>> google their questions, I think this is a better solution all
the way
>>>>>>>> around.
>>>>>>>>
>>>>>>>> Additionally, there is already an OWASP irc channel that we
could start
>>>>>>>> promoting as a place to come ask questions to, right now it is
usually
>>>>>>>> just a few of us lurkers but we do occasionally get people in
who have
>>>>>>>> security questions.
>>>>>>>>
>>>>>>>> On 1/26/2012 5:33 AM, Achim wrote:
>>>>>>>>> another one is experts-exchange.com
(http://experts-exchange.com) which has an established user management,
supports
>>>>>>>>> forum with mail notifications (also chat IIRC), has some kind
of round table,
>>>>>>>>> and the questions and answers are "moderated".
>>>>>>>>>
>>>>>>>>> Just my 2 pence,
>>>>>>>>> Achim
>>>>>>>>>
>>>>>>>>> Am 26.01.2012 10:47, schrieb dinis cruz:
>>>>>>>>>> And why don't we use it?
>>>>>>>>>>
>>>>>>>>>> There are clearly a couple issues with it, or we would be
using it.
>>>>>>>>>>
>>>>>>>>>> Can we identify them? (so that we learn from the past)
>>>>>>>>>>
>>>>>>>>>> Dinis Cruz
>>>>>>>>>> _______________________________________________
>>>>>>>>>> OWASP-Leaders mailing list
>>>>>>>>>> OWASP-Leaders at lists.owasp.org
(mailto:OWASP-Leaders at lists.owasp.org)
>>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> OWASP-Leaders mailing list
>>>>>>>>> OWASP-Leaders at lists.owasp.org
(mailto:OWASP-Leaders at lists.owasp.org)
>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> OWASP-Leaders mailing list
>>>>>>>> OWASP-Leaders at lists.owasp.org (mailto:OWASP-Leaders at lists.owasp.org)
>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> OWASP-Leaders at lists.owasp.org (mailto:OWASP-Leaders at lists.owasp.org)
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org (mailto:OWASP-Leaders at lists.owasp.org)
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org (mailto:OWASP-Leaders at lists.owasp.org)
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org (mailto:OWASP-Leaders at lists.owasp.org)
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120126/39dedc5e/attachment-0001.html>


More information about the OWASP-Leaders mailing list