[Owasp-leaders] What is the problem with http://security.stackexchange.com/

Erlend Oftedal Erlend.Oftedal at BEKK.no
Sat Jan 28 08:46:38 UTC 2012


I was trying to be active on security.stackexchange.com, but realized it quickly became to much other non appsec. So many questions there seem to be "i want to hack this site, but i'll pretend i'm doing a pentest" type of questions.
And the developer questions related to appsec mainly appear on stackoverflow. The problem there is that so many wrong answers especially around XSS protection are accepted as correct, and the same questions are asked again and again and again... I see people asking about xss, and answers popping up with solutions around blacklisting sql keywords...
If we want to help here we need to setup email notifications for posts on security issues and try to provide clear and meaningful advice and challenge the wrong answers. I think we make a bigger impact at stackoverflow than security.stackexchange.

Erlend
________________________________
From: Chris Schmidt
Sent: 26.01.2012 17:39
To: Michael Coates
Cc: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] What is the problem with http://security.stackexchange.com/

Touche' - I concede that fact if the search is phrased correctly. Is the developer experience the same? My gut says no, otherwise we wouldn't even be having this conversation :)

On 1/26/2012 9:09 AM, Michael Coates wrote:
> "leveraging stellar search ranking provided by a provider that has already put in the miles to get their results in the top ten."
>
> OWASP.org - already in the top results :)
>
>
> Michael Coates
> OWASP
> michael.coates at owasp.org<mailto:michael.coates at owasp.org>
>
>
>
> On Jan 26, 2012, at 7:50 AM, Chris Schmidt wrote:
>
>> This is the most awesome post on the list so far this year!
>>
>> I completely agree with Dennis here. Developers are looking for
>> solutions when they google a problem, not a description of the problem -
>> how it works - and what it means. They may bookmark that information and
>> go back to it at a later date, but when they search for "How do I fix
>> CSRF" they are looking for the answer and in my experience will grab the
>> first one they come across. Our goal should be to get the *correct*
>> solutions in front of devs, in order to do that we should be leveraging
>> stellar search ranking provided by a provider that has already put in
>> the miles to get their results in the top ten.
>>
>> On 1/26/2012 8:37 AM, Dennis Groves wrote:
>>> Here is the thing, it is better to focus on solutions. Vulns are like blacklists, Solutions are like whitelists -
>>>
>>> Enumeration of vulns is a lot like masturbation - it feels great but doesn't accomplish much.
>>>
>>> Solutions on the other hand create great value; additionally there is not any debate about discussing them, responsible disclosure of solutions nor any other bull-shit.
>>>
>>> Focus on solutions - change the game, make the world a better place. :-)
>>>
>>>
>>> --
>>> Dennis Groves (http://about.me/dennis.groves), MSc
>>> dennis.groves at gmail.com<mailto:dennis.groves at gmail.com> (mailto:dennis.groves at gmail.com)
>>>
>>>
>>>
>>> On Thursday, 26 January 2012 at 15:08, John Wilander wrote:
>>>
>>>> Do we know if developers etc shy away from asking security questions in the open? I've certainly been in situations where I'd like to get the community's opinion but I didn't want to expose the customer/team/project.
>>>>
>>>> Stack Exchange is a very exposing place. An OWASP forum might be less so.
>>>>
>>>> It's like demoing vulnerabilities. We do that within our community because everybody knows the rules of the game (full disclosure, responsible disclosure, what's known and what's not). But we probably hesitate demoing the same way to the general public. At OWASP AppSec I might demo CSRF against a real site whereas I do it against WebGoat in other circumstances.
>>>>
>>>> What I'm trying to say is an OWASP forum might get more honest, detailed questions whereas Stack Exchange attracts open security questions replied to with a mandatory pissing contest.
>>>>
>>>> Regards, John
>>>>
>>>> --
>>>> My music http://www.johnwilander.com
>>>> Twitter https://twitter.com/johnwilander
>>>> CV or Résumé http://johnwilander.se
>>>>
>>>> 26 jan 2012 kl. 15:41 skrev dinis cruz <dinis.cruz at owasp.org (mailto:dinis.cruz at owasp.org)><mailto:dinis.cruz at owasp.org(mailto:dinis.cruz at owasp.org)>:
>>>>
>>>>> I think we tried that originally and it got merged with the general security one
>>>>>
>>>>> Dinis Cruz
>>>>>
>>>>> On 26 Jan 2012, at 14:39, Thomas Brennan <tomb at owasp.org (mailto:tomb at owasp.org)><mailto:tomb at owasp.org(mailto:tomb at owasp.org)> wrote:
>>>>>
>>>>>> We (OWASP) could ask for appsec.stackexchange and volunteer to moderate/sponsor its shared goal
>>>>>>
>>>>>> Semper Fi,
>>>>>>
>>>>>> Tom Brennan
>>>>>> http://www.linkedin.com/in/tombrennan
>>>>>> 9732020122
>>>>>>
>>>>>> On Jan 26, 2012, at 9:34 AM, Rory Mccune <rorym at nmrconsult.net (mailto:rorym at nmrconsult.net)><mailto:rorym at nmrconsult.net(mailto:rorym at nmrconsult.net)> wrote:
>>>>>>
>>>>>>> Hi all,
>>>>>>>
>>>>>>> I'd say that security stackexchange is a good option. Ive been a user of it more or less since launch and the community is pretty good, the mods are reasonable and it's a free service, so no questions of content being restricted to paying members.
>>>>>>>
>>>>>>> Definitely additional oomph from owasp membership would be great.
>>>>>>>
>>>>>>> The referrals from stackoverflow and other stack exchange sites are useful as people who ask security related questions can be easily redirected without losing context and also if a offtopic question comes up in the forum it can be moved without just closing it down.
>>>>>>>
>>>>>>>
>>>>>>> Cheers
>>>>>>>
>>>>>>> Rory
>>>>>>>
>>>>>>> Sent from my iPad
>>>>>>>
>>>>>>> On 26 Jan 2012, at 13:50, Chris Schmidt <chris.schmidt at owasp.org (mailto:chris.schmidt at owasp.org)><mailto:chris.schmidt at owasp.org(mailto:chris.schmidt at owasp.org)> wrote:
>>>>>>>
>>>>>>>> experts-exchange is a pay service, I would recommend staying away from.
>>>>>>>>
>>>>>>>> I am curious what is wrong with stack-exchange as well. This sounds like
>>>>>>>> *exactly* what the intent of that experiment was. I haven't been there
>>>>>>>> for a few weeks, but last I checked people were still actively using it
>>>>>>>> as well. With a little additional oomph from the OWASP membership I
>>>>>>>> think that it could become very active. Stack exchange already ranks
>>>>>>>> extremely well in search results so for the majority of people who
>>>>>>>> google their questions, I think this is a better solution all the way
>>>>>>>> around.
>>>>>>>>
>>>>>>>> Additionally, there is already an OWASP irc channel that we could start
>>>>>>>> promoting as a place to come ask questions to, right now it is usually
>>>>>>>> just a few of us lurkers but we do occasionally get people in who have
>>>>>>>> security questions.
>>>>>>>>
>>>>>>>> On 1/26/2012 5:33 AM, Achim wrote:
>>>>>>>>> another one is experts-exchange.com (http://experts-exchange.com) which has an established user management, supports
>>>>>>>>> forum with mail notifications (also chat IIRC), has some kind of round table,
>>>>>>>>> and the questions and answers are "moderated".
>>>>>>>>>
>>>>>>>>> Just my 2 pence,
>>>>>>>>> Achim
>>>>>>>>>
>>>>>>>>> Am 26.01.2012 10:47, schrieb dinis cruz:
>>>>>>>>>> And why don't we use it?
>>>>>>>>>>
>>>>>>>>>> There are clearly a couple issues with it, or we would be using it.
>>>>>>>>>>
>>>>>>>>>> Can we identify them? (so that we learn from the past)
>>>>>>>>>>
>>>>>>>>>> Dinis Cruz
>>>>>>>>>> _______________________________________________
>>>>>>>>>> OWASP-Leaders mailing list
>>>>>>>>>> OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org> (mailto:OWASP-Leaders at lists.owasp.org)
>>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> OWASP-Leaders mailing list
>>>>>>>>> OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org> (mailto:OWASP-Leaders at lists.owasp.org)
>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> OWASP-Leaders mailing list
>>>>>>>> OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org> (mailto:OWASP-Leaders at lists.owasp.org)
>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org> (mailto:OWASP-Leaders at lists.owasp.org)
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org> (mailto:OWASP-Leaders at lists.owasp.org)
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org> (mailto:OWASP-Leaders at lists.owasp.org)
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org> (mailto:OWASP-Leaders at lists.owasp.org)
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120128/94829468/attachment-0001.html>


More information about the OWASP-Leaders mailing list