[Owasp-leaders] OWASP Top 10 - 2013 Release Candidate Now Available

Jim Manico jim.manico at owasp.org
Tue Feb 26 02:28:26 UTC 2013


Thank you Dre. 

Make no mistake, I'm in conflict on interest around the T10, the OWASP Cheat series, and the OWASP podcast as well.

I try to open the cheat sheet series to a wide audience of contributors. I also keep this series on the wiki to allow for community edits and contributions. The only time I have ever rejected a cheat sheet is due to low quality and I've always worked with folks to bring their work up to draft or release quality as best I can.

The podcast is something that I have set the tone for, and I need to find a way to get more community involvement to ensure my own objectivity. I need to think about this more, but I am open to suggestions. The podcast in general is being released a lot less frequently, when it starts back up I'll try to get more "interviewers" involved to make it more objective. And please note, I've never branded the cheat sheets, the podcast or any other project I've worked on as anything but "OWASP".

I'm also been mentioning that OWASP does not endorse companies or products more and more often, even when no one is looking. 

Last, I'm getting OWASP business cards to use at OWASP events. Eoin was right to point out that I should use them instead of my personal business card when representing OWASP.

The point I'm trying to make here is that I'm willing to look at my own actions and make better decisions around vendor neutrality and my fiduciary responsibility to OWASP.

***

I am personally a big fan of Top Ten documents as introductory awareness document for WebAppSec. I just think that no one man or company should make the final decision around it's contents.

What makes OWASP so great is our ability to drop our vendor affiliations and work together as a team to serve the greater good.

As board members, we have a legal responsibility to be *loyal* to OWASP. And this is a responsibility I take very seriously.

A good read on this topic is the book, "Legal Responsibilities of Nonprofit Boards" by Bruce Hopkins, JD. It's an older book but is quite relevant (since the laws in this area have only tightened in recent years). These three primary duties are:

* Duty of Care *
The duty of care describes the level of competence that is expected of a board member, and is commonly expressed as the duty of "care that an ordinarily prudent person would exercise in a like position and under similar circumstances." This means that a board member owes the duty to exercise reasonable care when he or she makes a decision as a steward of the organization.

* Duty of Loyalty *
The duty of loyalty is a standard of faithfulness; a board member must give undivided allegiance when making decisions affecting the organization. This means that a board member can never use information obtained as a member for personal gain, but must act in the best interests of the organization.

* Duty of Obedience *
The duty of obedience requires board members to be faithful to the organization's mission. They are not permitted to act in a way that is inconsistent with the central goals of the organization. A basis for this rule lies in the public's trust that the organization will manage donated funds to fulfill the organization's mission.

Thanks for reading this far. :)

Aloha,
Jim


> Jim,
> 
> While I do adore Jeff Williams, Dave Wichers, and the entire Aspect
> Security team -- I do enjoy and agree with what you're initially proposing
> here as well.
> 
> To be honest, I'm not sure if the Mobile T10 is any better -- it seems that
> WhiteHat Security and HP are vying for the title to its content.
> 
> The T10 projects are really non-scientific and biased studies to begin
> with. Maybe we should get rid of them entirely, or merge them into a new
> project?
> 
> 
> 
> On Mon, Feb 25, 2013 at 6:51 PM, Jim Manico <jim.manico at owasp.org> wrote:
> 
>> WebGoat is actively being maintained by Bruce Mayhew at a different
>> company. 5.4 was released recently.
>>
>> I believe that you and Dave are in a clear conflict-of-interest situation
>> around the OWASP top ten since you own an AppSec firm. We should probably
>> move to a consensus approach and have more folks as the final decision
>> makers for the OWASP Top Ten content like we do at the the Top Ten Mobile
>> project.
>>
>> --
>> Jim Manico
>> @Manicode
>> (808) 652-3805
>>
>> On Feb 25, 2013, at 2:31 PM, Jeff Williams <jeff.williams at owasp.org>
>> wrote:
>>
>> Hi,
>>
>> It's not fair to retroactively change the terms of the agreement under
>> which we agreed to donate WebGoat, Top Ten, and others.  There were
>> excellent reasons for OWASP to actively recruit projects from organizations
>> and part of that agreement was to allow corporate branding.  Some may think
>> that that those justifications have changed.  Personally I do not.
>>
>> To me, the best future for OWASP (the one where we start to achieve our
>> mission) is the one where all the players in the entire ecosystem --
>> commercial and non-commercial alike -- can interact.  I believe that OWASP
>> can provide the platform for that ecosystem to grow and thrive. IMHO,
>> engaging with commercial entities and getting them to share their
>> intellectual property in a free and open way as Aspect has done is the only
>> viable route to achieving our mission.
>>
>> But whether OWASP decides to attract future commercially sponsored
>> projects or not, and I definitely hope they do, changing the deal now isn't
>> right.
>>
>> --Jeff
>>
>>
>>
>> On Thu, Feb 21, 2013 at 4:29 AM, psiinon <psiinon at gmail.com> wrote:
>>
>>> I think that there should only be OWASP and/or or the project logos on
>>> the 'front' and 'main' pages of a project.
>>> So for a documentation one then that really would be the front page, and
>>> for tools that would be the first and most commonly used screens.
>>> I dont have a problem with reasonably sized Corporate logos on a Sponsors
>>> or Supporters page.
>>> So as it happens I'm fine with the Aspect logo on the new Top 10 RC,
>>> although I cant comment on whether other logos should be there as well.
>>> And the previous WebGoat would fail this test, but could pass if the logo
>>> was moved onto a separate Sponsors page.
>>> But I'm uncomfortable with the idea of sponsors of the cheat sheets -
>>> they are all 'front' page and so should be sponsor free.
>>>
>>> I think the key thing is whether someone new to the project would be
>>> confused as to whether this was an OWASP project, a Company XYZ project or
>>> a joint project. It should be obvious that its the first of these.
>>>
>>> So yes, I think spelling out these sort of things is worthwhile, but its
>>> the spirit of the thing thats important as theres always the possibility of
>>> someone trying to subvert that while keeping to the 'letter of the law'.
>>>
>>> Cheers,
>>>
>>> Simon
>>>
>>>
>>> On Thu, Feb 21, 2013 at 9:11 AM, Jim Manico <jim.manico at owasp.org> wrote:
>>>
>>>> I like this idea and will suggest to Samantha that we codify it as a
>>>> project rule moving forward.
>>>>
>>>> 1) So for WebGoat (as an example), this would mean we would remove the
>>>> current logos in the next version and replace it with a link to the wiki
>>>> sponsor page for WebGoat. I like this, reasonable?
>>>>
>>>>  2) What about content? Should we allow corporate logos on "release"
>>>> versions of content like the different dev/testing guides, top ten or the
>>>> cheat sheets?
>>>>
>>>> I know this is a bit pedantic, but I'd like to set a clear policy here
>>>> so we are all playing with the same project rules. Your opinions all matter.
>>>>
>>>> Thanks all,
>>>>
>>>> --
>>>> Jim Manico
>>>> @Manicode
>>>> (808) 652-3805
>>>>
>>>> On Feb 21, 2013, at 5:43 PM, psiinon <psiinon at gmail.com> wrote:
>>>>
>>>> We do exactly that for ZAP:
>>>> https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#Sponsors
>>>>
>>>> So +1 from me
>>>>
>>>> On Wed, Feb 20, 2013 at 2:21 PM, Ryan Barnett <ryan.barnett at owasp.org>wrote:
>>>>
>>>>> I mentioned the same thing to Jim yesterday.  One idea is to add a TAB
>>>>> to
>>>>> the default project template pages for "Project Sponsors" like this -
>>>>>
>>>>> https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Pr
>>>>> oject#Project_Sponsors<https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project#Project_Sponsors>
>>>>>
>>>>>
>>>>> -Ryan
>>>>>
>>>>> On 2/20/13 2:40 AM, "Jim Manico" <jim.manico at owasp.org> wrote:
>>>>>
>>>>>>> I would suggest having a dedicated page in the wiki that list project
>>>>>>> sponsors instead of having logos everywhere.
>>>>>>
>>>>>> This is the kind of compromise over vendor-neutrality that I can get
>>>>>> behind.
>>>>>>
>>>>>> I am not at all anti-vendor, I just want our community - especially
>>>>>> leaders - to respect ethical boundaries that were set by the founders
>>>>>> years ago.
>>>>>>
>>>>>> We have conferences with vendor showcases, that is not going to stop.
>>>>> We
>>>>>> have "networking" events where vendors are allowed to participate. We
>>>>>> have wonderful corporate sponsors who we place on our website. These
>>>>> are
>>>>>> all reasonable OWASP/vendor relations.
>>>>>>
>>>>>> The devil is in the detail, and I agree we need to work on better "use
>>>>>> and abuse" cases to make these boundaries a lot more clear to the
>>>>>> community.
>>>>>>
>>>>>> Respectfully,
>>>>>> --
>>>>>> Jim O'Manic
>>>>>> @Manicode
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 2/19/13 2:03 PM, Amro wrote:
>>>>>>> I would suggest having a dedicated page in the wiki that list project
>>>>>>> sponsors instead of having logos everywhere.
>>>>>>>
>>>>>>> My 2 cents.
>>>>>>> Sent from BlackBerry®. Excuse typo's and brevity.
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Konstantinos Papapanagiotou <konstantinos at owasp.org>
>>>>>>> Sender: owasp-leaders-bounces at lists.owasp.org
>>>>>>> Date: Tue, 19 Feb 2013 22:31:29
>>>>>>> To: psiinon<psiinon at gmail.com>
>>>>>>> Cc: OWASP Leaders<owasp-leaders at lists.owasp.org>
>>>>>>> Subject: Re: [Owasp-leaders] OWASP Top 10 - 2013 Release Candidate
>>>>> Now
>>>>>>>      Available
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>
>>>>>>
>>>>>>
>>>>>>> I would suggest having a dedicated page in the wiki that list project
>>>>>>> sponsors instead of having logos everywhere.
>>>>>>>
>>>>>>> My 2 cents.
>>>>>>> Sent from BlackBerry®. Excuse typo's and brevity.
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Konstantinos Papapanagiotou <konstantinos at owasp.org>
>>>>>>> Sender: owasp-leaders-bounces at lists.owasp.org
>>>>>>> Date: Tue, 19 Feb 2013 22:31:29
>>>>>>> To: psiinon<psiinon at gmail.com>
>>>>>>> Cc: OWASP Leaders<owasp-leaders at lists.owasp.org>
>>>>>>> Subject: Re: [Owasp-leaders] OWASP Top 10 - 2013 Release Candidate
>>>>> Now
>>>>>>>      Available
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>
>>>>
>>>
>>>
>>> --
>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
> 



More information about the OWASP-Leaders mailing list