[Owasp-leaders] Security 101 Mailing List?

dinis cruz dinis.cruz at owasp.org
Thu Jan 26 18:50:01 UTC 2012

Dennis, to be fair, the ESAPI project is trying to create some if the
things you're asking for. There are also a number of Encoding APIs at OWASP

But as they can vouch for, it's a tough one to crack

Dinis Cruz

On 26 Jan 2012, at 18:07, Dennis Groves <dennis.groves at owasp.org> wrote:

On 26 Jan 2012, at 17:11, Magno Logan wrote:

Great idea Michael,

I think that developers really need that way of asking basic questions
about app security. Most of them don't learn about it during University and
that would be a great place to teach them and show our resources.

Here my 2¢ - I have been thinking about this for a while; so feedback is
appreciated and desired:

Take for an example the advice to do *input validation* -

In my 10 years of application security - not once has anybody described *how

What is a developer to make of that? And where advice is given it is very
inconsistent and sometimes contradictory.

If regular expressions are the best way of doing things - then when do you
use a DFA, and when do you use NFA and why? What are the tradeoffs? When is
it better to use one over the other? When is it better to inspect your
tainted strings yourself? How do you rebuild them so you are able to treat
them as clean?

Further, where is the OWASP *regex* library that I can turn to to grab a
DFA or NFA that validates commonly required inputs in applications - like
Names, emails, phone numbers, credit-cards, addresses, etc….

What if a developer could confidently know that the best place in the world
to turn for input validation is OWASP?

That is an exciting solution; and one that would create enormous value.
And one that while difficult - hasn't been built.



I'm up for it 100%.

Best Regards,

On Thu, Jan 26, 2012 at 11:28 AM, Seba seba at owasp.org wrote:

http://myowasp.ning.com/ has spam entries in the forum
we should probably put some moderation on that on (or bring it offline)?


On Thu, Jan 26, 2012 at 3:21 PM, Kate Hartmann kate.hartmann at owasp.orgwrote:

We have a link to “community forums” from the main page of the wiki that
goes to an established ning site. http://myowasp.ning.com/****

Could we leverage this somehow?****

Kate Hartmann****

Operations Director****


www.owasp.org ****

Skype: Kate.hartmann1****

*From:* owasp-leaders-bounces at lists.owasp.org [mailto:
owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *Ludovic Petit
*Sent:* Thursday, January 26, 2012 5:53 AM
*To:* Michael Coates
*Cc:* owasp-leaders at lists.owasp.org
*Subject:* Re: [Owasp-leaders] Security 101 Mailing List?****

Great idea, even if indeed users are likely to have many answers from
many of us.****

However and even in this perspective, I think it will be a good thing
because it will show users the benefit of the community for the subject
being treated. So as such, good for spreading the Voice of OWASP.****

Last but not least, I agree and understand your final comment about
"dumb' questions and "Did you Google it?", ****

but in my view and as I often say on a daily basis, there is no "dumb"
questions, only wrong answers.****

Maybe could we foster the idea for a 'banner' in such mailing list, to
make users more confident in their questions and queries ;-)****


On Thu, Jan 26, 2012 at 12:26 AM, Michael Coates <
michael.coates at owasp.org> wrote:****

I recently gave a security presentation to a group of developers in the
health care startup scene. There was great turnout and they really loved
Webgoat (delivered via OWASP BWA). As I left the presentation I pointed
them at a variety of OWASP links - top 10, cheat sheets, secure coding
guidelines - but I felt that it was a missed opportunity to really engage
the group that had so much to gain from OWASP.

What are people's thoughts about establishing a OWASP-Security-101
mailing list? The idea would be to have this be a public list where
developers would ask basic/intro web security questions. We (OWASP
leaders) would then direct people to available OWASP resources or answer
the questions directly.

This idea would create an ecosystem with developers that are not security
experts per se (e.g. getting past the echo chamber). In addition, this will
quickly identify gaps in OWASP resources ( 5 questions about topic X and we
have no OWASP page on that topic).

The goal here isn't to replace something like stack overflow, but instead
to create an inviting space within OWASP where we can integrate more
developers and publicize/enhance OWASP tools, resources, etc.

One important thing for this new list would be that it's a safe place to
ask "dumb" questions. I think we could really distinguish ourselves here
since many people are nervous about jumping into a more technical mailing
list and just getting the "Did you google it?" type answer.

Thoughts? OWASP-Security-101?

Michael Coates
michael.coates at owasp.org

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

-- ****

Ludovic Petit, CISSP, CTFS****

Chapter Leader OWASP France****

OWASP Global Connections Committee****

Mobile: +33 (0) 611 726 164****

E-mail: ludovic.petit at owasp.org****

LinkedIn: http://www.linkedin.com/in/lpetit****


Homepage: https://www.owasp.org/index.php/France****

Mailing list: https://lists.owasp.org/mailman/listinfo/owasp-france****

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org


OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org


Magno (Logan) Rodrigues
OWASP Paraiba - Chapter Leader http://www.owasp.org/index.php/Paraiba
Twitter: @owasppb http://www.twitter.com/owasppb /

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120126/d2dc5a0e/attachment.html>

More information about the OWASP-Leaders mailing list