[Owasp-leaders] Security 101 Mailing List?

Jim Manico jim.manico at owasp.org
Thu Jan 26 19:16:46 UTC 2012


> What if a developer could confidently know that the best place in the
world to turn for input validation is OWASP?

I feel we serve the developer community better if "we go to them"
instead of requiring them "to come to us".

Keeping sites like StackOverflow updated with valid OWASP content,
working with Apache to lock down frameworks, etc. This is, in my mind,
how we really effect change. My favorite real work examples are:

Chris Schmidt made a encoding library for JQuery
Rohit Sethi has actively been working with DJango on their terms

If you have an example of how you or someone else from the OWASP
community has been working directly with developers /on their terms/
then please send me a note - I'd love to hear about it!

Thanks all,

-- 
Jim Manico

Connections Committee Chair
Cheatsheet Series Product Manager
OWASP Podcast Producer/Host

jim at owasp.org
www.owasp.org



> Dennis, to be fair, the ESAPI project is trying to create some if the
> things you're asking for. There are also a number of Encoding APIs at
> OWASP
>
> But as they can vouch for, it's a tough one to crack
>
> Dinis Cruz
>
> On 26 Jan 2012, at 18:07, Dennis Groves <dennis.groves at owasp.org
> <mailto:dennis.groves at owasp.org>> wrote:
>
>> On 26 Jan 2012, at 17:11, Magno Logan wrote:
>>
>>     Great idea Michael,
>>
>>     I think that developers really need that way of asking basic
>>     questions
>>     about app security. Most of them don't learn about it during
>>     University and
>>     that would be a great place to teach them and show our resources.
>>
>> Here my 2¢ - I have been thinking about this for a while; so feedback
>> is appreciated and desired:
>>
>> Take for an example the advice to do /input validation/ -
>>
>> In my 10 years of application security - not once has anybody
>> described */how/*.
>>
>> What is a developer to make of that? And where advice is given it is
>> very inconsistent and sometimes contradictory.
>>
>> If regular expressions are the best way of doing things - then when
>> do you use a DFA, and when do you use NFA and why? What are the
>> tradeoffs? When is it better to use one over the other? When is it
>> better to inspect your tainted strings yourself? How do you rebuild
>> them so you are able to treat them as clean?
>>
>> Further, where is the OWASP /regex/ library that I can turn to to
>> grab a DFA or NFA that validates commonly required inputs in
>> applications - like Names, emails, phone numbers, credit-cards,
>> addresses, etc....
>>
>> What if a developer could confidently know that the best place in the
>> world to turn for input validation is OWASP?
>>
>> That is an exciting solution; and one that would create enormous value.
>> And one that while difficult - hasn't been built.
>>
>> Cheers,
>>
>> Dennis
>>
>>     I'm up for it 100%.
>>
>>     Best Regards,
>>
>>     On Thu, Jan 26, 2012 at 11:28 AM, Seba seba at owasp.org
>>     <mailto:seba at owasp.org> wrote:
>>
>>         http://myowasp.ning.com/ has spam entries in the forum
>>         we should probably put some moderation on that on (or bring
>>         it offline)?
>>
>>         --Seba
>>
>>         On Thu, Jan 26, 2012 at 3:21 PM, Kate Hartmann
>>         kate.hartmann at owasp.org <mailto:kate.hartmann at owasp.org>wrote:
>>
>>             We have a link to "community forums" from the main page
>>             of the wiki that
>>             goes to an established ning site.
>>             http://myowasp.ning.com/****
>>
>>             ------------------------------------------------------------------------
>>
>>             Could we leverage this somehow?****
>>
>>             ------------------------------------------------------------------------
>>
>>             Kate Hartmann****
>>
>>             Operations Director****
>>
>>             301-275-9403****
>>
>>             www.owasp.org <http://www.owasp.org> ****
>>
>>             Skype: Kate.hartmann1****
>>
>>             ------------------------------------------------------------------------
>>
>>             /From:/ owasp-leaders-bounces at lists.owasp.org
>>             <mailto:owasp-leaders-bounces at lists.owasp.org> [mailto:
>>             owasp-leaders-bounces at lists.owasp.org
>>             <mailto:owasp-leaders-bounces at lists.owasp.org>] /On
>>             Behalf Of *Ludovic Petit
>>             *Sent:/ Thursday, January 26, 2012 5:53 AM
>>             /To:/ Michael Coates
>>             /Cc:/ owasp-leaders at lists.owasp.org
>>             <mailto:owasp-leaders at lists.owasp.org>
>>             /Subject:/ Re: [Owasp-leaders] Security 101 Mailing List?****
>>
>>             ------------------------------------------------------------------------
>>
>>             Great idea, even if indeed users are likely to have many
>>             answers from
>>             many of us.****
>>
>>             However and even in this perspective, I think it will be
>>             a good thing
>>             because it will show users the benefit of the community
>>             for the subject
>>             being treated. So as such, good for spreading the Voice
>>             of OWASP.****
>>
>>             ------------------------------------------------------------------------
>>
>>             Last but not least, I agree and understand your final
>>             comment about
>>             "dumb' questions and "Did you Google it?", ****
>>
>>             but in my view and as I often say on a daily basis, there
>>             is no "dumb"
>>             questions, only wrong answers.****
>>
>>             ------------------------------------------------------------------------
>>
>>             Maybe could we foster the idea for a 'banner' in such
>>             mailing list, to
>>             make users more confident in their questions and queries
>>             ;-)****
>>
>>             ------------------------------------------------------------------------
>>
>>             Ludovic****
>>
>>             On Thu, Jan 26, 2012 at 12:26 AM, Michael Coates <
>>             michael.coates at owasp.org
>>             <mailto:michael.coates at owasp.org>> wrote:****
>>
>>             I recently gave a security presentation to a group of
>>             developers in the
>>             health care startup scene. There was great turnout and
>>             they really loved
>>             Webgoat (delivered via OWASP BWA). As I left the
>>             presentation I pointed
>>             them at a variety of OWASP links - top 10, cheat sheets,
>>             secure coding
>>             guidelines - but I felt that it was a missed opportunity
>>             to really engage
>>             the group that had so much to gain from OWASP.
>>
>>             What are people's thoughts about establishing a
>>             OWASP-Security-101
>>             mailing list? The idea would be to have this be a public
>>             list where
>>             developers would ask basic/intro web security questions.
>>             We (OWASP
>>             leaders) would then direct people to available OWASP
>>             resources or answer
>>             the questions directly.
>>
>>             This idea would create an ecosystem with developers that
>>             are not security
>>             experts per se (e.g. getting past the echo chamber). In
>>             addition, this will
>>             quickly identify gaps in OWASP resources ( 5 questions
>>             about topic X and we
>>             have no OWASP page on that topic).
>>
>>             The goal here isn't to replace something like stack
>>             overflow, but instead
>>             to create an inviting space within OWASP where we can
>>             integrate more
>>             developers and publicize/enhance OWASP tools, resources, etc.
>>
>>             One important thing for this new list would be that it's
>>             a safe place to
>>             ask "dumb" questions. I think we could really distinguish
>>             ourselves here
>>             since many people are nervous about jumping into a more
>>             technical mailing
>>             list and just getting the "Did you google it?" type answer.
>>
>>             Thoughts? OWASP-Security-101?
>>
>>             Michael Coates
>>             OWASP
>>             michael.coates at owasp.org <mailto:michael.coates at owasp.org>
>>
>>             ------------------------------------------------------------------------
>>
>>             OWASP-Leaders mailing list
>>             OWASP-Leaders at lists.owasp.org
>>             <mailto:OWASP-Leaders at lists.owasp.org>
>>             https://lists.owasp.org/mailman/listinfo/owasp-leaders****
>>
>>             ------------------------------------------------------------------------
>>             ------------------------------------------------------------------------
>>
>>             -- ****
>>
>>             Ludovic Petit, CISSP, CTFS****
>>
>>             Chapter Leader OWASP France****
>>
>>             OWASP Global Connections Committee****
>>
>>             ------------------------------------------------------------------------
>>
>>             Mobile: +33 (0) 611 726 164****
>>
>>             E-mail: ludovic.petit at owasp.org
>>             <mailto:ludovic.petit at owasp.org>****
>>
>>             LinkedIn: http://www.linkedin.com/in/lpetit****
>>
>>             -------****
>>
>>             Homepage: https://www.owasp.org/index.php/France****
>>
>>             Mailing list:
>>             https://lists.owasp.org/mailman/listinfo/owasp-france****
>>
>>             ------------------------------------------------------------------------
>>             ------------------------------------------------------------------------
>>             ------------------------------------------------------------------------
>>
>>             OWASP-Leaders mailing list
>>             OWASP-Leaders at lists.owasp.org
>>             <mailto:OWASP-Leaders at lists.owasp.org>
>>             https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>         ------------------------------------------------------------------------
>>
>>         OWASP-Leaders mailing list
>>         OWASP-Leaders at lists.owasp.org
>>         <mailto:OWASP-Leaders at lists.owasp.org>
>>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>     ------------------------------------------------------------------------
>>
>>     Magno (Logan) Rodrigues
>>     OWASP Paraiba - Chapter Leader http://www.owasp.org/index.php/Paraiba
>>     Twitter: @owasppb http://www.twitter.com/owasppb /
>>     @magnologanhttp://www.twitter.com/magnologan
>>
>>     ------------------------------------------------------------------------
>>
>>     OWASP-Leaders mailing list
>>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120126/9c3e94d0/attachment-0001.html>


More information about the OWASP-Leaders mailing list