[Owasp-leaders] AppSec Monthly Themes

Thomas Brennan tomb at owasp.org
Thu Mar 22 20:58:03 UTC 2012


For those who have not seen the MS version 

http://www.microsoft.com/security/sdl/adopt/eop.aspx



On Mar 22, 2012, at 4:23 PM, Tony Turner <tony.turner at owasp.org> wrote:

> I've got some really good gameplay ideas here from 30+ years of D&D and CCG play. Adversary vs adversary would be easy ala Magic the Gathering style play but instead of having players attack each other I'd have a set of positive and negative events randomly drawn each turn mitigated by the cards in play with the objective being to stay in business. For instance, player draws SQLi event but luckily last turn he played the parameterized query card so he's safe but then next turn he gets hit with an XSS event and doesn't have a mitigation and loses 10,000 customers. Use customer base (or cash reserves) as your life pool. Positive events could be things like an acquisition, a new service (with new exposures), feature enhancement or even just some good PR that equates to new customers. Sign me up, I'd love to be involved!
> 
> On Mar 22, 2012 3:51 PM, "Eoin" <eoin.keary at owasp.org> wrote:
> My ace of xss beats ur queen of CSRF.
> 
> Eoin Keary
> BCC Risk Advisory
> Owasp Global Board
> +353 87 977 2988
> 
> 
> On 22 Mar 2012, at 19:38, "Dennis Groves, MSc" <dennis.groves at owasp.org> wrote:
> 
> > On 22 Mar 2012, at 15:40, Colin Watson wrote:
> >
> >> :-)
> >>
> >> I had been trying to think about an AppSensor (defense vs attacks)
> >> version of the card game Trumps, and get them printed on decks of
> >> playing cards - either as the game itself or as the card "backs". Then
> >> they could be used for promotional give-aways.
> >>
> >> But maybe the idea (52 cards) could be used for 13 themes x 4
> >> messages, or something like that? Perhaps developers and others would
> >> prefer a pack of playing cards to a book.
> >>
> >> I think we'd have to change "joker" to "hacker" though.
> >>
> >
> > I have always wanted to design a deck of cards. This could be so fun in so many, many ways… Let me know if you actually want to execute on this….
> >
> > Maybe we can even have them done in time for the 2013 trip to the Casino^H^H^H^H^H^H Summit! :-)
> >
> > Dennis
> >
> >
> >> Colin
> >>
> >> On 22 March 2012 12:46, Eoin <eoin.keary at owasp.org> wrote:
> >>> "The owasp ten commandments"
> >>> project!!
> >>>
> >>> Eoin Keary
> >>> BCC Risk Advisory
> >>> Owasp Global Board
> >>> +353 87 977 2988
> >>>
> >>>
> >>> On 22 Mar 2012, at 08:23, "Dennis Groves, MSc" <dennis.groves at owasp.org> wrote:
> >>>
> >>>> Michael & Jim, (and the rest of the leaders…)
> >>>>
> >>>> Brilliant Idea, A good friend of mine and productivity expert - JD Meier speaks of 30 day improvement sprints. I guess my thought is that it would be best to map out a year of these first and prepare materials in advance of the controlled release. This way sick days and holidays don't interfere with the flow. Another idea would be to alternate builder, breaker and defender months - so that we rotate through each of those topics 4 times during the year.
> >>>>
> >>>> In fact, on that note Jim - your very cool "parameterize, don't jeopardise" SQL injection maximum causes me to wonder if we couldn't distill another 11 of those 'tweet' sides ideas and create the 'OWASP laws of application security.'
> >>>>
> >>>> Dennis
> >>>>
> >>>> On 22 Mar 2012, at 5:18, Jim Manico wrote:
> >>>>
> >>>>> Awesome idea.
> >>>>>
> >>>>> How about we focus specifically on a SQL Injection awareness campaign
> >>>>> for the first month? We could be even more specific and bring
> >>>>> awareness to the coding technique of query parameterization.
> >>>>>
> >>>>> "Parameterize, don't jeopardize" ;)
> >>>>>
> >>>>> --
> >>>>> Jim Manico
> >>>>> (808) 652-3805
> >>>>>
> >>>>> On Mar 22, 2012, at 7:08 AM, Michael Coates <michael.coates at owasp.org> wrote:
> >>>>>
> >>>>>> Leaders,
> >>>>>>
> >>>>>> I've been toying with the idea of a centralized security theme for each month.  The idea is to flood the airwaves (or is it the pipes?) with a large amount of information on a particular application security topic.
> >>>>>>
> >>>>>> For example, April could be "Injection Flaws" and anyone interested could blog about this topic.  I'm hoping to see articles from the perspective of builders, breakers and defenders. Also articles that dive into code examples, frameworks, lifecycle considerations, tools and more.  We can have have a push for video examples, podcasts, and project updates (if relevant to the monthly theme) and more.
> >>>>>>
> >>>>>> This "coordinated" assault on the issue is then magnified by retweets from the OWASP twitter account and syndication on the OWASP news feed.  At the end of the month we then have an OWASP blog post that captures the definitive list to all articles, posts, tools, etc that were created during that month.  We could also award the top contributions and feature them in the newsletter.
> >>>>>>
> >>>>>> Anyone interested in this idea?  I'm thinking we work through a few of the OWASP top 10, then maybe jump around with a month for mobile security, cloud security, lifecylce, risk analysis, etc.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> April the month of Injection Flaws?
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> -------
> >>>>>> Michael Coates | OWASP
> >>>>>> michael.coates at owasp.org | @_mwc
> >>>>>> OWASP Board
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> OWASP-Leaders mailing list
> >>>>>> OWASP-Leaders at lists.owasp.org
> >>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>>>> _______________________________________________
> >>>>> OWASP-Leaders mailing list
> >>>>> OWASP-Leaders at lists.owasp.org
> >>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>>>
> >>>>
> >>>> --
> >>>> [Dennis Groves](http://about.me/dennis.groves), MSc
> >>>> [dennis.groves at gmail.com](mailto:dennis.groves at gmail.com)
> >>>>
> >>>> *"What is the use of living, if it be not to strive for noble causes and make this muddled world a better place for those who will live in it after we have gone."* -- Winston Churchill, October 10th, 1908
> >>>> _______________________________________________
> >>>> OWASP-Leaders mailing list
> >>>> OWASP-Leaders at lists.owasp.org
> >>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>> _______________________________________________
> >>> OWASP-Leaders mailing list
> >>> OWASP-Leaders at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> >
> > Dennis
> >
> > --
> > [Dennis Groves](http://www.owasp.org/index.php/User:Dennis_Groves), MSc
> > [dennis.groves at owasp.org](dennis.groves at owasp.org)
> >
> > *This work is licensed under the Creative Commons
> > Attribution-NonCommercial-NoDerivs 3.0 Unported License. To view a copy of
> > this license, visit http://creativecommons.org/licenses/by-nc-nd/3.0/ or
> > send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain
> > View, California, 94041, USA.*
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120322/1c892755/attachment-0001.html>


More information about the OWASP-Leaders mailing list