[Owasp-leaders] What is the problem with http://security.stackexchange.com/

Michael Hidalgo Fallas michael.hidalgo at owasp.org
Sat Jan 28 13:55:40 UTC 2012


Hi All,
I would like to give my opinion.

Why we don't create our Q&A site in OWASP ,and with an authentication
mechanism, only the people with an account created in OWASP can access it?.
The link below shows up a project at Google that provides a front end
similar to StackOverflow family . It can be configured and managed.

http://code.google.com/p/open-so-frontend/

I'm a developer in my bones and I know that people usually is seeking for a
solution and this kind of sites are useful to keep the community involved.

Thank you.

On Sat, Jan 28, 2012 at 2:46 AM, Erlend Oftedal <Erlend.Oftedal at bekk.no>wrote:

>  I was trying to be active on security.stackexchange.com, but realized it
> quickly became to much other non appsec. So many questions there seem to be
> "i want to hack this site, but i'll pretend i'm doing a pentest" type of
> questions.
> And the developer questions related to appsec mainly appear on
> stackoverflow. The problem there is that so many wrong answers especially
> around XSS protection are accepted as correct, and the same questions are
> asked again and again and again... I see people asking about xss, and
> answers popping up with solutions around blacklisting sql keywords...
> If we want to help here we need to setup email notifications for posts on
> security issues and try to provide clear and meaningful advice and
> challenge the wrong answers. I think we make a bigger impact at
> stackoverflow than security.stackexchange.
>
> Erlend
>  ------------------------------
> From: Chris Schmidt
> Sent: 26.01.2012 17:39
> To: Michael Coates
> Cc: owasp-leaders at lists.owasp.org
> Subject: Re: [Owasp-leaders] What is the problem with
> http://security.stackexchange.com/
>
>
> Touche' - I concede that fact if the search is phrased correctly. Is the
> developer experience the same? My gut says no, otherwise we wouldn't even
> be having this conversation :)
>
> On 1/26/2012 9:09 AM, Michael Coates wrote:
> > "leveraging stellar search ranking provided by a provider that has
> already put in the miles to get their results in the top ten."
> >
> > OWASP.org - already in the top results :)
> >
> >
> > Michael Coates
> > OWASP
> > michael.coates at owasp.org
> >
> >
> >
> > On Jan 26, 2012, at 7:50 AM, Chris Schmidt wrote:
> >
> >> This is the most awesome post on the list so far this year!
> >>
> >> I completely agree with Dennis here. Developers are looking for
> >> solutions when they google a problem, not a description of the problem -
> >> how it works - and what it means. They may bookmark that information and
> >> go back to it at a later date, but when they search for "How do I fix
> >> CSRF" they are looking for the answer and in my experience will grab the
> >> first one they come across. Our goal should be to get the *correct*
> >> solutions in front of devs, in order to do that we should be leveraging
> >> stellar search ranking provided by a provider that has already put in
> >> the miles to get their results in the top ten.
> >>
> >> On 1/26/2012 8:37 AM, Dennis Groves wrote:
> >>> Here is the thing, it is better to focus on solutions. Vulns are like
> blacklists, Solutions are like whitelists -
> >>>
> >>> Enumeration of vulns is a lot like masturbation - it feels great but
> doesn't accomplish much.
> >>>
> >>> Solutions on the other hand create great value; additionally there is
> not any debate about discussing them, responsible disclosure of solutions
> nor any other bull-shit.
> >>>
> >>> Focus on solutions - change the game, make the world a better place.
> :-)
> >>>
> >>>
> >>> --
> >>> Dennis Groves (http://about.me/dennis.groves), MSc
> >>> dennis.groves at gmail.com (mailto:dennis.groves at gmail.com<dennis.groves at gmail.com>
> )
> >>>
> >>>
> >>>
> >>> On Thursday, 26 January 2012 at 15:08, John Wilander wrote:
> >>>
> >>>> Do we know if developers etc shy away from asking security questions
> in the open? I've certainly been in situations where I'd like to get the
> community's opinion but I didn't want to expose the customer/team/project.
> >>>>
> >>>> Stack Exchange is a very exposing place. An OWASP forum might be less
> so.
> >>>>
> >>>> It's like demoing vulnerabilities. We do that within our community
> because everybody knows the rules of the game (full disclosure, responsible
> disclosure, what's known and what's not). But we probably hesitate demoing
> the same way to the general public. At OWASP AppSec I might demo CSRF
> against a real site whereas I do it against WebGoat in other circumstances.
> >>>>
> >>>> What I'm trying to say is an OWASP forum might get more honest,
> detailed questions whereas Stack Exchange attracts open security questions
> replied to with a mandatory pissing contest.
> >>>>
> >>>> Regards, John
> >>>>
> >>>> --
> >>>> My music http://www.johnwilander.com
> >>>> Twitter https://twitter.com/johnwilander
> >>>> CV or Résumé http://johnwilander.se
> >>>>
> >>>> 26 jan 2012 kl. 15:41 skrev dinis cruz <dinis.cruz at owasp.org
> (mailto:dinis.cruz at owasp.org)><dinis.cruz at owasp.org%28mailto:dinis.cruz at owasp.org%29>
> :
> >>>>
> >>>>> I think we tried that originally and it got merged with the general
> security one
> >>>>>
> >>>>> Dinis Cruz
> >>>>>
> >>>>> On 26 Jan 2012, at 14:39, Thomas Brennan <tomb at owasp.org
> (mailto:tomb at owasp.org)> <tomb at owasp.org%28mailto:tomb at owasp.org%29>wrote:
> >>>>>
> >>>>>> We (OWASP) could ask for appsec.stackexchange and volunteer to
> moderate/sponsor its shared goal
> >>>>>>
> >>>>>> Semper Fi,
> >>>>>>
> >>>>>> Tom Brennan
> >>>>>> http://www.linkedin.com/in/tombrennan
> >>>>>> 9732020122
> >>>>>>
> >>>>>> On Jan 26, 2012, at 9:34 AM, Rory Mccune <rorym at nmrconsult.net
> (mailto:rorym at nmrconsult.net)><rorym at nmrconsult.net%28mailto:rorym at nmrconsult.net%29>wrote:
> >>>>>>
> >>>>>>> Hi all,
> >>>>>>>
> >>>>>>> I'd say that security stackexchange is a good option. Ive been a
> user of it more or less since launch and the community is pretty good, the
> mods are reasonable and it's a free service, so no questions of content
> being restricted to paying members.
> >>>>>>>
> >>>>>>> Definitely additional oomph from owasp membership would be great.
> >>>>>>>
> >>>>>>> The referrals from stackoverflow and other stack exchange sites
> are useful as people who ask security related questions can be easily
> redirected without losing context and also if a offtopic question comes up
> in the forum it can be moved without just closing it down.
> >>>>>>>
> >>>>>>>
> >>>>>>> Cheers
> >>>>>>>
> >>>>>>> Rory
> >>>>>>>
> >>>>>>> Sent from my iPad
> >>>>>>>
> >>>>>>> On 26 Jan 2012, at 13:50, Chris Schmidt <chris.schmidt at owasp.org
> (mailto:chris.schmidt at owasp.org)><chris.schmidt at owasp.org%28mailto:chris.schmidt at owasp.org%29>wrote:
> >>>>>>>
> >>>>>>>> experts-exchange is a pay service, I would recommend staying away
> from.
> >>>>>>>>
> >>>>>>>> I am curious what is wrong with stack-exchange as well. This
> sounds like
> >>>>>>>> *exactly* what the intent of that experiment was. I haven't been
> there
> >>>>>>>> for a few weeks, but last I checked people were still actively
> using it
> >>>>>>>> as well. With a little additional oomph from the OWASP membership
> I
> >>>>>>>> think that it could become very active. Stack exchange already
> ranks
> >>>>>>>> extremely well in search results so for the majority of people who
> >>>>>>>> google their questions, I think this is a better solution all the
> way
> >>>>>>>> around.
> >>>>>>>>
> >>>>>>>> Additionally, there is already an OWASP irc channel that we could
> start
> >>>>>>>> promoting as a place to come ask questions to, right now it is
> usually
> >>>>>>>> just a few of us lurkers but we do occasionally get people in who
> have
> >>>>>>>> security questions.
> >>>>>>>>
> >>>>>>>> On 1/26/2012 5:33 AM, Achim wrote:
> >>>>>>>>> another one is experts-exchange.com (http://experts-exchange.com)
> which has an established user management, supports
> >>>>>>>>> forum with mail notifications (also chat IIRC), has some kind of
> round table,
> >>>>>>>>> and the questions and answers are "moderated".
> >>>>>>>>>
> >>>>>>>>> Just my 2 pence,
> >>>>>>>>> Achim
> >>>>>>>>>
> >>>>>>>>> Am 26.01.2012 10:47, schrieb dinis cruz:
> >>>>>>>>>> And why don't we use it?
> >>>>>>>>>>
> >>>>>>>>>> There are clearly a couple issues with it, or we would be using
> it.
> >>>>>>>>>>
> >>>>>>>>>> Can we identify them? (so that we learn from the past)
> >>>>>>>>>>
> >>>>>>>>>> Dinis Cruz
> >>>>>>>>>> _______________________________________________
> >>>>>>>>>> OWASP-Leaders mailing list
> >>>>>>>>>> OWASP-Leaders at lists.owasp.org (
> mailto:OWASP-Leaders at lists.owasp.org <OWASP-Leaders at lists.owasp.org>)
> >>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> _______________________________________________
> >>>>>>>>> OWASP-Leaders mailing list
> >>>>>>>>> OWASP-Leaders at lists.owasp.org (
> mailto:OWASP-Leaders at lists.owasp.org <OWASP-Leaders at lists.owasp.org>)
> >>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> _______________________________________________
> >>>>>>>> OWASP-Leaders mailing list
> >>>>>>>> OWASP-Leaders at lists.owasp.org (
> mailto:OWASP-Leaders at lists.owasp.org <OWASP-Leaders at lists.owasp.org>)
> >>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>>>>>>
> >>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> OWASP-Leaders mailing list
> >>>>>>> OWASP-Leaders at lists.owasp.org (
> mailto:OWASP-Leaders at lists.owasp.org <OWASP-Leaders at lists.owasp.org>)
> >>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>>>>>
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> OWASP-Leaders mailing list
> >>>>>> OWASP-Leaders at lists.owasp.org (mailto:OWASP-Leaders at lists.owasp.org<OWASP-Leaders at lists.owasp.org>
> )
> >>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> OWASP-Leaders mailing list
> >>>>> OWASP-Leaders at lists.owasp.org (mailto:OWASP-Leaders at lists.owasp.org<OWASP-Leaders at lists.owasp.org>
> )
> >>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> OWASP-Leaders mailing list
> >>>> OWASP-Leaders at lists.owasp.org (mailto:OWASP-Leaders at lists.owasp.org<OWASP-Leaders at lists.owasp.org>
> )
> >>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>>
> >>>
> >>> _______________________________________________
> >>> OWASP-Leaders mailing list
> >>> OWASP-Leaders at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 

 *Michael Hidalgo F.
OWASP Chapter Leader,Costa Rica.*

“*If you believe in yourself and have dedication and pride - and never
quit, you'll be a winner. The price of victory is high but so are the
rewards.” Paul Bryant*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120128/06bf7107/attachment-0001.html>


More information about the OWASP-Leaders mailing list