[Owasp-leaders] OWASP ESAPI Project Status

Dennis Groves dennis.groves at owasp.org
Sun Mar 30 22:31:47 UTC 2014

I personally proposed the use of our very own best of breed application
maturity model known as OpenSAMM. And it was adopted by the technical team
for use in evaluation of the projects.

OpenSAMM intentional or not is based on the Capability Maturity Model; and
the capability maturity model is a standard created by Carnegie Mellon
University and required by many DOD and U.S. Government contracts,
especially software development. The CMM is the result of several PhD level
sciences coming together in an interdisciplinary model.

By standing on this bedrock of history, we promote our own derivative of
the CMM, a project known as OpenSAMM; and this is a great idea because we
want to promote the adoption of OWASP and the use of its projects. And
OpenSAMM is rooted in this history of great science and is one of our very
best projects because of this heritage, not to mention all the love and
attention that was given to it.

Second, CMM is based on a scientific method known as the Rarsh Model, which
allows you to statistically analyse the question, allowing you to identify
the subset of data where people are talking from experience.

Third, it defines a set of four buckets; Governance, development,
verification and operations - and for the very same reason we can use
OpenSAMM from everything to an SDLC to evaluating the maturity of an entire
enterprise security management system of a company (as I have done
literally hundreds of times, this our flavour of a CMM and it is much, much
more than an SDLC tool as I demonstrated now twice.)

In the case of OWASP we derived all three values from using OpenSAMM as the
basis for the project evaluation criteria. However, it should also be
understood that it was only one of several questionnaires used in
evaluating the project maturity.

I also hope you will understand that OpenSAMM is much more than an SDLC
tool; but that it inherits much of the science that went into the CMM and
CMMI and can be used similarly.

And as a side note additional value was derived as well, we learned that
most projects did not fall into the Governance or Operational categories,
but into the development and verification catagories.

In other words - OWASP is failing to give complete advice about how to deal
with cyber-security!  (Opportunities for growth!)

We are over focused on development and verification - this is stuff
*everybody* has advice for. (Pen-Testing and Development)

This has allowed us to branch out into areas where there is less
competition such as the CISO guide (which I personally partially-funded,
from one of my chapters) and the operational project I am working on now
with BCS and GNU to start and fund a new OWASP project. Because we can
create unique value in those spaces, keeping OWASP relevant!

In order to remain relevant OWASP requires a long-game strategy (the
project evaluations are part of that), we will not remain relevant if we
keep playing in the same sandbox with everybody else. The project
evaluations were part of understanding what that strategy maybe and how to
expand our current offerings.

This is basic education for MBA's (like Samantha) and business management
like the awesome OWASP Foundation Staff (Sarah and her team).

What is most disappointing to me is that there are people in this thread
calling community activities stupid; and not seeking to understand why
something was done and what value it created.


Dennis Groves, MSc
Email me, or schedule a meeting.
This email is licensed under a CC BY-ND 3.0 license.
Stand up for your freedom to install free software.
Please do not send me Microsoft Office/Apple iWork documents.
Send OpenDocument instead!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140330/4b12233f/attachment.html>

More information about the OWASP-Leaders mailing list