[Owasp-leaders] jowasp.org

Mauro Risonho de Paula mauro.risonho at owasp.org
Thu Sep 4 18:12:28 UTC 2014


goowasp.org or golang.owasp.org ? :)




On Thu, Aug 28, 2014 at 4:55 AM, psiinon <psiinon at gmail.com> wrote:

> I agree with most of your points, but not "All sites must be hosted within
> OWASP’s infrastructure (so OWASP has all the assets, and backups)"
> I think that restriction is unreasonable and will restrict innovation.
> Why shouldnt projects use EC2, GitHub pages or whatever?
> A requirement for backups to be available to OWASP is perfectly acceptable.
>
> I'm pretty sure there is already a significant amount of project related
> OWASP documentation that is only available via GitHub, SourceForge, Google
> Code etc.
> Most of the ZAP wiki is on Google Code, so I think the cats out of the bag
> for that one already ;)
>
> Yes, micro sites are likely to be restricted to 'rich' projects / chapters.
> But hopefully the fact that they have the money and desire to do this is
> an indication that they are well used / supported by the community.
>
> In the case of flagship tools I think we need micro sites in order to
> compete effectively against commercial alternatives.
> http://www.opensamm.org/ is a great example of this.
>
> Cheers,
>
> Simon
>
>
>
>
>
> On Thu, Aug 28, 2014 at 8:30 AM, Colin Watson <colin.watson at owasp.org>
> wrote:
>
>> Jim etc
>>
>> A great idea. But it can't be a free-for-all, as decisions here impact on:
>>
>> 1. other volunteers
>> 2. administrative resources
>> 3. the security of www.owasp.org
>> 4. the reputation of OWASP Foundation
>>
>> Names
>> ----------
>>
>> Firstly, it sounds like these microsites might relate to:
>>
>> - language (e.g. Java)
>> - framework (e.g. dotnet)
>> - project (e.g. proactive)
>> - role (e.g. defenders)
>> - initiative (e.g. government)
>> - chapter (e.g. nyc)
>> - region (e.g. asia)
>> - topic (e.g. risk/vulnerability)
>>
>> Focusing on just say the language idea, if there is java. but not
>> php., what does that indicate to outsiders?
>>
>> Focusing on  projects. If a project has a microsite, does that
>> undermine all the projects that don’t? It appears from other posts to
>> this list that many projects are either empty shells or not
>> maintained. There needs to be some threshold for volunteers to apply
>> for the right to have a subdomain, and their other
>> project(s)/contributions must already meet a certain high standard
>> (quality, freshness, support).
>>
>> Focusing on a risk/vulnerability, why should xss.owasp.org exist but
>> not csrf.owasp.org for example, or should the latter be
>> xsrf.owasp.org? Who decides what will be okay?
>>
>> Is there a danger that only "rich" leaders/chapters will be able to
>> create these microsites, if “pro design” and “SSL certificate” have to
>> be acquired?
>>
>> There will be a lot more new OWASP support overhead for these
>> microsites such as approving them ,setting up the DNS records,
>> managing access, maintaining assets, and periodic review.
>>
>> A final question on subdomains, how does the wiki deal with other
>> languages? I believe Spanish exists. Are there any subdomains already
>> allocated?
>>
>>
>> Not a free-for-all
>> -----------------------
>>
>> So, some initial discussion ideas for ground rules:
>>
>> a) All sub-domain DNS will be managed by OWASP (of course)
>>
>> b) No new domain names must be registered (to prevent sprawl, lack of
>> control and brand damage)
>>
>> c) All sites must be hosted within OWASP’s infrastructure (so OWASP
>> has all the assets, and backups)
>>
>> d) All root/admin access credentials must be held and controlled by
>> OWASP, not any project leader or other person (so that OWASP can
>> transfer ownership to another lerader, or take thje site down if not
>> maintained, or is contrary to any principle)
>>
>> e) Must conform to OWASP’s domain-level policies (e.g. RIA, HSTS?).
>> What content/includes will be allowed or not. Some might well
>> undermine the security of the main website.
>>
>> f ) Must be SSL-only
>>
>> g) No sponsorship/advertising at all (because that is occurring on a
>> tab of the project page).
>>
>> h) Must not contravene OWASP’s principles and ethics, or any governance
>> rules
>>
>> i) Must not have any? vulnerabilities!
>>
>> j) Must use 2FA for administrative access for all non-public access
>>
>> k) Must support multilingual capabilities
>>
>> l) Microsites will be culled if not updated within any rolling period
>> of (say) 180days.
>>
>> m) Content must be relevant, accurate, timely and be well written
>>
>> n) Vendor neutral
>>
>> o) (your suggestions)
>>
>>
>>
>> Colin
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
>
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140904/8684e931/attachment.html>


More information about the OWASP-Leaders mailing list