[Owasp-leaders] OWASP Top 10 - 2013 Release Candidate Now Available

Jack Mannino jack at nvisiumsecurity.com
Tue Feb 26 02:58:09 UTC 2013


And to clarify things based on the dialogue below:

For the Mobile Top 10 Refresh that we're currently mapping out (having
another planning meeting tomorrow, actually), I've set some ground rules:

1) Logos, don't want to see them.

2) Brand yourself around quality work and the community will recognize it
(and they'll probably figure out where you work, too).

3) No individual (or company) should take ownership of what we're doing as
a collective whole.

4) We will explicitly call out the groups that are contributing metrics and
data of value in a big "thank you" when all is said and done...after all,
they are contributing valuable time and intellectual property and certainly
deserve to be acknowledged.

So far everyone involved has been reasonable, but I'll be QUICK to call
anyone out that goes too far...I'm holding myself accountable to these
standards, as well. If I break my own rules, please feel free to flame me
for it.

We should be putting out a Call for Data (scrubbed findings, metrics, etc.)
and a Call for Feedback (on the existing list) within the next week or so.
Similar approach to last time, but a bit more focused. The core group of us
that worked on the initial list in 2011 learned a few things from making
mistakes the first go-round.

As always, we will certainly welcome constructive criticism and feedback on
how we're approaching things. Everyone kicking in cycles to the mobile
project is a volunteer as well and we're doing this on top of our "day
jobs"....

On Mon, Feb 25, 2013 at 9:28 PM, Jim Manico <jim.manico at owasp.org> wrote:

> Thank you Dre.
>
> Make no mistake, I'm in conflict on interest around the T10, the OWASP
> Cheat series, and the OWASP podcast as well.
>
> I try to open the cheat sheet series to a wide audience of contributors. I
> also keep this series on the wiki to allow for community edits and
> contributions. The only time I have ever rejected a cheat sheet is due to
> low quality and I've always worked with folks to bring their work up to
> draft or release quality as best I can.
>
> The podcast is something that I have set the tone for, and I need to find
> a way to get more community involvement to ensure my own objectivity. I
> need to think about this more, but I am open to suggestions. The podcast in
> general is being released a lot less frequently, when it starts back up
> I'll try to get more "interviewers" involved to make it more objective. And
> please note, I've never branded the cheat sheets, the podcast or any other
> project I've worked on as anything but "OWASP".
>
> I'm also been mentioning that OWASP does not endorse companies or products
> more and more often, even when no one is looking.
>
> Last, I'm getting OWASP business cards to use at OWASP events. Eoin was
> right to point out that I should use them instead of my personal business
> card when representing OWASP.
>
> The point I'm trying to make here is that I'm willing to look at my own
> actions and make better decisions around vendor neutrality and my fiduciary
> responsibility to OWASP.
>
> ***
>
> I am personally a big fan of Top Ten documents as introductory awareness
> document for WebAppSec. I just think that no one man or company should make
> the final decision around it's contents.
>
> What makes OWASP so great is our ability to drop our vendor affiliations
> and work together as a team to serve the greater good.
>
> As board members, we have a legal responsibility to be *loyal* to OWASP.
> And this is a responsibility I take very seriously.
>
> A good read on this topic is the book, "Legal Responsibilities of
> Nonprofit Boards" by Bruce Hopkins, JD. It's an older book but is quite
> relevant (since the laws in this area have only tightened in recent years).
> These three primary duties are:
>
> * Duty of Care *
> The duty of care describes the level of competence that is expected of a
> board member, and is commonly expressed as the duty of "care that an
> ordinarily prudent person would exercise in a like position and under
> similar circumstances." This means that a board member owes the duty to
> exercise reasonable care when he or she makes a decision as a steward of
> the organization.
>
> * Duty of Loyalty *
> The duty of loyalty is a standard of faithfulness; a board member must
> give undivided allegiance when making decisions affecting the organization.
> This means that a board member can never use information obtained as a
> member for personal gain, but must act in the best interests of the
> organization.
>
> * Duty of Obedience *
> The duty of obedience requires board members to be faithful to the
> organization's mission. They are not permitted to act in a way that is
> inconsistent with the central goals of the organization. A basis for this
> rule lies in the public's trust that the organization will manage donated
> funds to fulfill the organization's mission.
>
> Thanks for reading this far. :)
>
> Aloha,
> Jim
>
>
> > Jim,
> >
> > While I do adore Jeff Williams, Dave Wichers, and the entire Aspect
> > Security team -- I do enjoy and agree with what you're initially
> proposing
> > here as well.
> >
> > To be honest, I'm not sure if the Mobile T10 is any better -- it seems
> that
> > WhiteHat Security and HP are vying for the title to its content.
> >
> > The T10 projects are really non-scientific and biased studies to begin
> > with. Maybe we should get rid of them entirely, or merge them into a new
> > project?
> >
> >
> >
> > On Mon, Feb 25, 2013 at 6:51 PM, Jim Manico <jim.manico at owasp.org>
> wrote:
> >
> >> WebGoat is actively being maintained by Bruce Mayhew at a different
> >> company. 5.4 was released recently.
> >>
> >> I believe that you and Dave are in a clear conflict-of-interest
> situation
> >> around the OWASP top ten since you own an AppSec firm. We should
> probably
> >> move to a consensus approach and have more folks as the final decision
> >> makers for the OWASP Top Ten content like we do at the the Top Ten
> Mobile
> >> project.
> >>
> >> --
> >> Jim Manico
> >> @Manicode
> >> (808) 652-3805
> >>
> >> On Feb 25, 2013, at 2:31 PM, Jeff Williams <jeff.williams at owasp.org>
> >> wrote:
> >>
> >> Hi,
> >>
> >> It's not fair to retroactively change the terms of the agreement under
> >> which we agreed to donate WebGoat, Top Ten, and others.  There were
> >> excellent reasons for OWASP to actively recruit projects from
> organizations
> >> and part of that agreement was to allow corporate branding.  Some may
> think
> >> that that those justifications have changed.  Personally I do not.
> >>
> >> To me, the best future for OWASP (the one where we start to achieve our
> >> mission) is the one where all the players in the entire ecosystem --
> >> commercial and non-commercial alike -- can interact.  I believe that
> OWASP
> >> can provide the platform for that ecosystem to grow and thrive. IMHO,
> >> engaging with commercial entities and getting them to share their
> >> intellectual property in a free and open way as Aspect has done is the
> only
> >> viable route to achieving our mission.
> >>
> >> But whether OWASP decides to attract future commercially sponsored
> >> projects or not, and I definitely hope they do, changing the deal now
> isn't
> >> right.
> >>
> >> --Jeff
> >>
> >>
> >>
> >> On Thu, Feb 21, 2013 at 4:29 AM, psiinon <psiinon at gmail.com> wrote:
> >>
> >>> I think that there should only be OWASP and/or or the project logos on
> >>> the 'front' and 'main' pages of a project.
> >>> So for a documentation one then that really would be the front page,
> and
> >>> for tools that would be the first and most commonly used screens.
> >>> I dont have a problem with reasonably sized Corporate logos on a
> Sponsors
> >>> or Supporters page.
> >>> So as it happens I'm fine with the Aspect logo on the new Top 10 RC,
> >>> although I cant comment on whether other logos should be there as well.
> >>> And the previous WebGoat would fail this test, but could pass if the
> logo
> >>> was moved onto a separate Sponsors page.
> >>> But I'm uncomfortable with the idea of sponsors of the cheat sheets -
> >>> they are all 'front' page and so should be sponsor free.
> >>>
> >>> I think the key thing is whether someone new to the project would be
> >>> confused as to whether this was an OWASP project, a Company XYZ
> project or
> >>> a joint project. It should be obvious that its the first of these.
> >>>
> >>> So yes, I think spelling out these sort of things is worthwhile, but
> its
> >>> the spirit of the thing thats important as theres always the
> possibility of
> >>> someone trying to subvert that while keeping to the 'letter of the
> law'.
> >>>
> >>> Cheers,
> >>>
> >>> Simon
> >>>
> >>>
> >>> On Thu, Feb 21, 2013 at 9:11 AM, Jim Manico <jim.manico at owasp.org>
> wrote:
> >>>
> >>>> I like this idea and will suggest to Samantha that we codify it as a
> >>>> project rule moving forward.
> >>>>
> >>>> 1) So for WebGoat (as an example), this would mean we would remove the
> >>>> current logos in the next version and replace it with a link to the
> wiki
> >>>> sponsor page for WebGoat. I like this, reasonable?
> >>>>
> >>>>  2) What about content? Should we allow corporate logos on "release"
> >>>> versions of content like the different dev/testing guides, top ten or
> the
> >>>> cheat sheets?
> >>>>
> >>>> I know this is a bit pedantic, but I'd like to set a clear policy here
> >>>> so we are all playing with the same project rules. Your opinions all
> matter.
> >>>>
> >>>> Thanks all,
> >>>>
> >>>> --
> >>>> Jim Manico
> >>>> @Manicode
> >>>> (808) 652-3805
> >>>>
> >>>> On Feb 21, 2013, at 5:43 PM, psiinon <psiinon at gmail.com> wrote:
> >>>>
> >>>> We do exactly that for ZAP:
> >>>>
> https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#Sponsors
> >>>>
> >>>> So +1 from me
> >>>>
> >>>> On Wed, Feb 20, 2013 at 2:21 PM, Ryan Barnett <ryan.barnett at owasp.org
> >wrote:
> >>>>
> >>>>> I mentioned the same thing to Jim yesterday.  One idea is to add a
> TAB
> >>>>> to
> >>>>> the default project template pages for "Project Sponsors" like this -
> >>>>>
> >>>>>
> https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Pr
> >>>>> oject#Project_Sponsors<
> https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project#Project_Sponsors
> >
> >>>>>
> >>>>>
> >>>>> -Ryan
> >>>>>
> >>>>> On 2/20/13 2:40 AM, "Jim Manico" <jim.manico at owasp.org> wrote:
> >>>>>
> >>>>>>> I would suggest having a dedicated page in the wiki that list
> project
> >>>>>>> sponsors instead of having logos everywhere.
> >>>>>>
> >>>>>> This is the kind of compromise over vendor-neutrality that I can get
> >>>>>> behind.
> >>>>>>
> >>>>>> I am not at all anti-vendor, I just want our community - especially
> >>>>>> leaders - to respect ethical boundaries that were set by the
> founders
> >>>>>> years ago.
> >>>>>>
> >>>>>> We have conferences with vendor showcases, that is not going to
> stop.
> >>>>> We
> >>>>>> have "networking" events where vendors are allowed to participate.
> We
> >>>>>> have wonderful corporate sponsors who we place on our website. These
> >>>>> are
> >>>>>> all reasonable OWASP/vendor relations.
> >>>>>>
> >>>>>> The devil is in the detail, and I agree we need to work on better
> "use
> >>>>>> and abuse" cases to make these boundaries a lot more clear to the
> >>>>>> community.
> >>>>>>
> >>>>>> Respectfully,
> >>>>>> --
> >>>>>> Jim O'Manic
> >>>>>> @Manicode
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> On 2/19/13 2:03 PM, Amro wrote:
> >>>>>>> I would suggest having a dedicated page in the wiki that list
> project
> >>>>>>> sponsors instead of having logos everywhere.
> >>>>>>>
> >>>>>>> My 2 cents.
> >>>>>>> Sent from BlackBerry®. Excuse typo's and brevity.
> >>>>>>>
> >>>>>>> -----Original Message-----
> >>>>>>> From: Konstantinos Papapanagiotou <konstantinos at owasp.org>
> >>>>>>> Sender: owasp-leaders-bounces at lists.owasp.org
> >>>>>>> Date: Tue, 19 Feb 2013 22:31:29
> >>>>>>> To: psiinon<psiinon at gmail.com>
> >>>>>>> Cc: OWASP Leaders<owasp-leaders at lists.owasp.org>
> >>>>>>> Subject: Re: [Owasp-leaders] OWASP Top 10 - 2013 Release Candidate
> >>>>> Now
> >>>>>>>      Available
> >>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> OWASP-Leaders mailing list
> >>>>>>> OWASP-Leaders at lists.owasp.org
> >>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> OWASP-Leaders mailing list
> >>>>>>> OWASP-Leaders at lists.owasp.org
> >>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>>> I would suggest having a dedicated page in the wiki that list
> project
> >>>>>>> sponsors instead of having logos everywhere.
> >>>>>>>
> >>>>>>> My 2 cents.
> >>>>>>> Sent from BlackBerry®. Excuse typo's and brevity.
> >>>>>>>
> >>>>>>> -----Original Message-----
> >>>>>>> From: Konstantinos Papapanagiotou <konstantinos at owasp.org>
> >>>>>>> Sender: owasp-leaders-bounces at lists.owasp.org
> >>>>>>> Date: Tue, 19 Feb 2013 22:31:29
> >>>>>>> To: psiinon<psiinon at gmail.com>
> >>>>>>> Cc: OWASP Leaders<owasp-leaders at lists.owasp.org>
> >>>>>>> Subject: Re: [Owasp-leaders] OWASP Top 10 - 2013 Release Candidate
> >>>>> Now
> >>>>>>>      Available
> >>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> OWASP-Leaders mailing list
> >>>>>>> OWASP-Leaders at lists.owasp.org
> >>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> OWASP-Leaders mailing list
> >>>>>>> OWASP-Leaders at lists.owasp.org
> >>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>>>>>>
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> OWASP-Leaders mailing list
> >>>>>> OWASP-Leaders at lists.owasp.org
> >>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> OWASP-Leaders mailing list
> >>>>> OWASP-Leaders at lists.owasp.org
> >>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>>>>
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
> >>>>
> >>>>
> >>>
> >>>
> >>> --
> >>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
> >>>
> >>> _______________________________________________
> >>> OWASP-Leaders mailing list
> >>> OWASP-Leaders at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>>
> >>>
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >>
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >>
> >
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>



-Jack
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130225/2f56fb43/attachment-0001.html>


More information about the OWASP-Leaders mailing list