[Owasp-leaders] What would you change about OWASP?

Andy Lewis alewis at owasp.org
Thu Jun 7 01:51:54 UTC 2012


Tom - this is actually a pretty big opportunity for OWASP.  What
resources are available to teach Developers to salt hashes?
What code/API's are immediately available so that the people at
Facebook don't have to reinvent the wheel?

The references for the CryptoGraphic Cheat Sheet look like they cover
salt for java, php, and .net.
https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet#References

Anybody aware of any others?  Now's a good time to update the cheat
sheet references and consider publishing/mentioning at the next
Chapter meeting...

On Wed, Jun 6, 2012 at 4:52 PM, Tom Brennan <tomb at owasp.org> wrote:
> Well said even with today's web appsec headlines of BigPenis
>
> http://m.gizmodo.com/5916332/bigpenis-and-65-million-other-sad-stupid-leaked-linkedin-passwords
>
> Semper Fi Andy ;)- see you at #defcon
>
> Tom Brennan
> Trustwave, SpiderLabs
> (t) 973-202-0122
> (e) tbrennan at trustwave.com
> (w) http://www.trustwave.com
>
> On Jun 6, 2012, at 3:17 PM, Andy Lewis <alewis at owasp.org> wrote:
>
>> Hi Eoin - first allow me to thank you for the time you've taken over
>> the years to maintain OWASP's momentum.
>>
>> What I'd change:
>> 1. Have a virtual meeting for Chapter Leaders periodically.  Make it a
>> forum for ongoing improvement - mentoring new leaders, providing tips,
>> discussing what's hot, pending global changes, etc.  Voluntary and
>> targeted at 30 mins (likely to go 60, but 30's the target).
>>
>> 2. Encourage existing leaders to serve as mentors/buddies.  Some times
>> when you're new to an organization it REALLY helps to have a single
>> POC to whom you can ask stupid questions :-)
>>
>> 3. Ask questions like this and figure out how to put action behind the
>> answers.  Because we all have day jobs, OWASP is a labor of love.
>> Sometimes it feel unrequited.  Putting action in is more often about
>> finding the right person with the right passion and sufficient time to
>> make progress.  Find those people and encourage THEIR projects so that
>> we're DELIVERING (whether or not it's of earth-shattering
>> significance).  A great example is Cam Morris's Passfault project -
>> GREAT action from a PASSIONATE individual who SHARED the project and
>> who's ultimately helping himself, OWASP, and the world (without
>> shattering it).  Coordinate help if needed, and as a Board (and
>> veterans of this industry), find the projects with the greatest
>> potential impact and actively recruit for them.
>>
>> 4. Send Board Members to Chapter Meetings.  A part of my frustration
>> over the years involves not understanding "your" world and knowing
>> that "you" don't understand mine.  Figure out how to make Board
>> Members available on "the circuit" with very cool topics, and budget
>> enough time to sit down w/Chapter Leaders over beers (or breakfast) to
>> impart awareness of OWASP resources and to receive first-hand
>> understanding of what's happening locally.  The trick is the same
>> every month - find a place, find someone to sponsor, find someone with
>> a compelling topic/hands-on, and put people in the chairs.  If the
>> Board Members (or Chapter Leaders) can establish a rotation of sorts,
>> hopefully the compelling topic problem is solved and the rest is just
>> logistics and communications.
>>
>> 5. Fix the dawgone mail server.  We're now encouraging people to join
>> LinkedIn and follow us on Twitter.  Neither is as well monitored as
>> the no-kidding inbox I have to read every day at my job.
>>
>> 6. One thing I really, really like is that we ALL have a voice and
>> even though I've said some pretty stupid things on this list in the
>> past, I've never been soul-crushed out of spite :-)  Maintain the
>> openness.
>>
>> 7. Consider an Awards system.  "Best regional con", "best sponsor
>> management", "best AppSec contribution/project", "best general ITSec
>> contribution/project", etc.  Have winners and runners-up publish what
>> they're doing right.  Some times it's a lot easier to read/locate what
>> champions are doing than it is to chase "best practices."
>>
>> Thanks again.  Back to the day job...
>> Andy
>>
>>
>> On Wed, Jun 6, 2012 at 2:46 AM, Eoin <eoin.keary at owasp.org> wrote:
>>> Hello leaders,
>>> I was thinking about the good and bad aspects of OWASP. Sometimes I think there is too much "process" and not enough action.
>>> Other times I think we don't do enough relevant activities and are not addressing the core issues.
>>>
>>> So, with that said, what would you change about OWASP? (any idea, suggestion is "fair game").
>>>
>>> Eoin.
>>>
>>>
>>>
>>> Eoin Keary
>>> BCC Risk Advisory
>>> Owasp Global Board
>>> +353 87 977 2988
>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list