[Owasp-leaders] Plan approach - help fix platforms devs use

Tim tim.morgan at owasp.org
Mon Nov 23 19:12:40 UTC 2015


Hi Daniel,

> If we look at this from an owasp project perspective.  I know we don't
> encourage endorsing products.  But I believe we should be in a position to
> provide something such as an OWASP Verified label that can be used for
> these platforms we are going to put in this work on.  I think the project
> should set requirements that should allow platforms to be evaluated to meet
> a certain level before before being provided this label.  I think this
> label will also encourage platforms to consider working with us more.
> 
> Just some of my thoughts of how we can projectize this based on the current
> OWASP structure.


Anything we can do to make platform developers feel gently pressured
to improve their APIs is good.  However, I'm not sure we can really do
a "verified" label for a platform based on a very limited view of APIs
we assess initially.  (e.g.: Just because platform Y's LDAP, Crypto,
and SQL APIs are in good shape, doesn't mean the whole platform is
secure.)

My thought on this, as I just posted in response to Johanna, is to
have a simple grade for each platform/API combo with a side-by-side
comparison of platforms we've evaluated.  

However, if we ever get to the point in the future where we have 20+
API types evaluated across dozens of platforms, and a particular
platform does an amazing job on all of these, maybe we could assign
some kind of "award" or "top performer" label.

tim


More information about the OWASP-Leaders mailing list