[Owasp-leaders] Plan approach - help fix platforms devs use
tim.morgan at owasp.org
Mon Nov 23 19:12:40 UTC 2015
> If we look at this from an owasp project perspective. I know we don't
> encourage endorsing products. But I believe we should be in a position to
> provide something such as an OWASP Verified label that can be used for
> these platforms we are going to put in this work on. I think the project
> should set requirements that should allow platforms to be evaluated to meet
> a certain level before before being provided this label. I think this
> label will also encourage platforms to consider working with us more.
> Just some of my thoughts of how we can projectize this based on the current
> OWASP structure.
Anything we can do to make platform developers feel gently pressured
to improve their APIs is good. However, I'm not sure we can really do
a "verified" label for a platform based on a very limited view of APIs
we assess initially. (e.g.: Just because platform Y's LDAP, Crypto,
and SQL APIs are in good shape, doesn't mean the whole platform is
My thought on this, as I just posted in response to Johanna, is to
have a simple grade for each platform/API combo with a side-by-side
comparison of platforms we've evaluated.
However, if we ever get to the point in the future where we have 20+
API types evaluated across dozens of platforms, and a particular
platform does an amazing job on all of these, maybe we could assign
some kind of "award" or "top performer" label.
More information about the OWASP-Leaders