[Owasp-leaders] Instead of OWASP libraries, why don't we ...

Josh Sokol josh.sokol at owasp.org
Sat Nov 21 15:56:42 UTC 2015


I agree with what Tim said.  For example, if PHPSec is so bad that one of
the original developers said we should ditch it, maybe we should look for
the best 3rd party tool out there (
https://github.com/padraic/SecurityMultiTool perhaps) and give them
resources to help improve it and drive people to it.  OWASP should be all
about giving people the right resources, not necessarily having to create
them ourselves.

~josh

On Sat, Nov 21, 2015 at 9:47 AM, Jim Manico <jim.manico at owasp.org> wrote:

> I think that's a great idea, Johanna. It's wise of us to spend our funds
> on providing these key defensive projects with additional assurance.
>
> In general, I'd like to see OWASP bring in more •technical• resources to
> help with projects, wiki and infrastructure enhancement. I also thinks Tims
> idea about helping common frameworks with security engineering is spot on
> and I've love to see us invest in those efforts. I've submitted a few
> suggestions to the board and it's being discussed in the context of the
> 2016 budget.
>
> --
> Jim Manico
> Global Board Member
> OWASP Foundation
> https://www.owasp.org
> Join me in Rome for AppSecEU 2016!
>
> On Nov 21, 2015, at 9:39 AM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
> >>Or offer bounties for specific platform security tasks.
>
> Why not as part of a Project review process to offer bounties for testing
> the project at security level?
> We have some key projects like CRSFGuard and Java HTML Sanitizer that are
> used as 'Protection Libraries' against certain attacks and many companies
> are depending on these projects to secure their sites. Even I know some
> using ESAPI still
>
>
>
> On Fri, Nov 20, 2015 at 11:00 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> > Does this resonate with anyone?
>>
>> Spot on. It's hard work and takes a lot of selfless dedication.
>>
>> I feel OWASP should consider spending some of it's funds to hire
>> developers to be dedicated to some of these tasks. Or offer bounties for
>> specific platform security tasks. I think that would accelerate this kind
>> of activity, significantly....
>>
>> Auto-escaping templates, CSP integration, solid ABAC implementations,
>> default secure headers, solid integrated password storage, etc etc all by
>> default all integrated into common development platforms.
>>
>> I think this would be an awesome way to serve the mission. Anyone agree?
>>
>> --
>> Jim Manico
>> Global Board Member
>> OWASP Foundation
>> https://www.owasp.org
>> Join me in Rome for AppSecEU 2016!
>>
>> On Nov 20, 2015, at 4:10 PM, Tim Morgan <tim.morgan at owasp.org> wrote:
>>
>> Does this resonate with anyone?
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151121/1fd88d23/attachment-0001.html>


More information about the OWASP-Leaders mailing list