[Owasp-leaders] Security 101 Mailing List?

Dennis Groves dennis.groves at owasp.org
Thu Jan 26 18:06:52 UTC 2012


On 26 Jan 2012, at 17:11, Magno Logan wrote:

> Great idea Michael,
>
> I think that developers really need that way of asking basic questions
> about app security. Most of them don't learn about it during 
> University and
> that would  be a great place to teach them and show our resources.

Here my 2¢ - I have been thinking about this for a while; so feedback 
is appreciated and desired:

Take for an example the advice to do _input validation_ -

In my 10 years of application security - not once has anybody described 
***how***.

What is a developer to make of that? And where advice is given it is 
very inconsistent and sometimes contradictory.

If regular expressions are the best way of doing things - then when do 
you use a DFA, and when do you use NFA and why? What are the tradeoffs? 
When is it better to use one over the other? When is it better to 
inspect your tainted strings yourself? How do you rebuild them so you 
are able to treat them as clean?

Further, where is the OWASP *regex* library that I can turn to to grab a 
DFA or NFA that validates commonly required inputs in applications - 
like Names, emails, phone numbers, credit-cards, addresses, etc….

What if a developer could confidently know that the best place in the 
world to turn for input validation is OWASP?

That is an exciting solution; and one that would create enormous value.
And one that while difficult - hasn't been built.

Cheers,

Dennis



> I'm up for it 100%.
>
> Best Regards,
>
> On Thu, Jan 26, 2012 at 11:28 AM, Seba <seba at owasp.org> wrote:
>
>> http://myowasp.ning.com/ has spam entries in the forum
>> we should probably put some moderation on that on (or bring it 
>> offline)?
>>
>> --Seba
>>
>>
>>
>> On Thu, Jan 26, 2012 at 3:21 PM, Kate Hartmann 
>> <kate.hartmann at owasp.org>wrote:
>>
>>> We have a link to “community forums” from the main page of the 
>>> wiki that
>>> goes to an established ning site.  http://myowasp.ning.com/****
>>>
>>> ** **
>>>
>>> Could we leverage this somehow?****
>>>
>>> ** **
>>>
>>> Kate Hartmann****
>>>
>>> Operations Director****
>>>
>>> 301-275-9403****
>>>
>>> www.owasp.org ****
>>>
>>> Skype:  Kate.hartmann1****
>>>
>>> ** **
>>>
>>> *From:* owasp-leaders-bounces at lists.owasp.org [mailto:
>>> owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *Ludovic Petit
>>> *Sent:* Thursday, January 26, 2012 5:53 AM
>>> *To:* Michael Coates
>>> *Cc:* owasp-leaders at lists.owasp.org
>>> *Subject:* Re: [Owasp-leaders] Security 101 Mailing List?****
>>>
>>> ** **
>>>
>>> Great idea, even if  indeed users are likely to have many answers 
>>> from
>>> many of us.****
>>>
>>> However and even in this perspective, I think it will be a good 
>>> thing
>>> because it will show users the benefit of the community for the 
>>> subject
>>> being treated. So as such, good for spreading the Voice of 
>>> OWASP.****
>>>
>>> ** **
>>>
>>> Last but not least, I agree and understand your final comment about
>>> "dumb' questions and "Did you Google it?", ****
>>>
>>> but in my view and as I often say on a daily basis, there is no 
>>> "dumb"
>>> questions, only wrong answers.****
>>>
>>> ** **
>>>
>>> Maybe could we foster the idea for a 'banner' in such mailing list, 
>>> to
>>> make users more confident in their questions and queries ;-)****
>>>
>>> ** **
>>>
>>> Ludovic****
>>>
>>> On Thu, Jan 26, 2012 at 12:26 AM, Michael Coates <
>>> michael.coates at owasp.org> wrote:****
>>>
>>>
>>> I recently gave a security presentation to a group of developers in 
>>> the
>>> health care startup scene.  There was great turnout and they really 
>>> loved
>>> Webgoat (delivered via OWASP BWA).  As I left the presentation I 
>>> pointed
>>> them at a variety of OWASP links - top 10, cheat sheets, secure 
>>> coding
>>> guidelines - but I felt that it was a missed opportunity to really 
>>> engage
>>> the group that had so much to gain from OWASP.
>>>
>>> What are people's thoughts about establishing a OWASP-Security-101
>>> mailing list?  The idea would be to have this be a public list where
>>> developers would ask basic/intro web security questions.  We (OWASP
>>> leaders) would then direct people to available OWASP resources or 
>>> answer
>>> the questions directly.
>>>
>>> This idea would create an ecosystem with developers that are not 
>>> security
>>> experts per se (e.g. getting past the echo chamber). In addition, 
>>> this will
>>> quickly identify gaps in OWASP resources ( 5 questions about topic X 
>>> and we
>>> have no OWASP page on that topic).
>>>
>>> The goal here isn't to replace something like stack overflow, but 
>>> instead
>>> to create an inviting space within OWASP where we can integrate more
>>> developers and publicize/enhance OWASP tools, resources, etc.
>>>
>>> One important thing for this new list would be that it's a safe 
>>> place to
>>> ask "dumb" questions.  I think we could really distinguish ourselves 
>>> here
>>> since many people are nervous about jumping into a more technical 
>>> mailing
>>> list and just getting the "Did you google it?" type answer.
>>>
>>>
>>> Thoughts?  OWASP-Security-101?
>>>
>>>
>>>
>>>
>>>
>>> Michael Coates
>>> OWASP
>>> michael.coates at owasp.org
>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders****
>>>
>>>
>>>
>>> ****
>>>
>>> ** **
>>>
>>> -- ****
>>>
>>> Ludovic Petit, CISSP, CTFS****
>>>
>>> Chapter Leader OWASP France****
>>>
>>> OWASP Global Connections Committee****
>>>
>>> ** **
>>>
>>> Mobile: +33 (0) 611 726 164****
>>>
>>> E-mail: ludovic.petit at owasp.org****
>>>
>>> LinkedIn: http://www.linkedin.com/in/lpetit****
>>>
>>> -------****
>>>
>>> Homepage: https://www.owasp.org/index.php/France****
>>>
>>> Mailing list: 
>>> https://lists.owasp.org/mailman/listinfo/owasp-france****
>>>
>>> ** **
>>>
>>> ** **
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> -- 
> Magno (Logan) Rodrigues
> OWASP Paraiba - Chapter Leader 
> <http://www.owasp.org/index.php/Paraiba>
> Twitter: @owasppb <http://www.twitter.com/owasppb> /
> @magnologan<http://www.twitter.com/magnologan>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120126/debe227f/attachment-0001.html>


More information about the OWASP-Leaders mailing list