[Owasp-leaders] The Only Thing That Is Constant Is Change

Sean Auriti sean.auriti at owasp.org
Tue May 10 16:48:27 UTC 2016


https://srcclr.com/ - Security for open-source code.

On Mon, May 9, 2016 at 9:43 AM, Tom Brennan - OWASP <tomb at owasp.org> wrote:

> The discussion is very health and helpful thank you all.
>
> FWIW OWASP Foundation is in process of recruiting top talent from around
> the world to work full time for OWASP Foundation for (2) very important
> roles
>
> A) Senior Technical Coordinator
> B) Global Community Manager
>
> https://www.owasp.org/index.php/OWASP_Jobs
> <https://www.owasp.org/index.php/OWASP_Jobs>
>
> and unfortunately with Mr. Ritchie's unexpected death an Executive Director
>
> As always OWASP encourage professional debate and collaboration driving to
> rough consensus and meet monthly to discuss, document and make progress see
> past and upcoming agendas
>  https://www.owasp.org/index.php/Board#tab=About_the_OWASP_Board
>
> Tom Brennan
> GPG ID: DC6AA149 | Fingerprint: 12A6 9978 45BB 1562 C921  B228 BD0F D9C6
> DC6A A
>
> OWASP Foundation | www.owasp.org
> Tel:  (m) 973-506-9304
>
>
>
> On Mon, May 9, 2016 at 8:15 AM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
> > a) how do we mature OWASP projects? OpenSAMM or CII or both
> >
> > OWASP does not mature projects. The project leader does that with
> > contributions of volunteers. The willingness of a project leader and his
> > abilities and talent does that. CII is a criteria created for
> > auto-evaluation and this is where it must be begin. The leader must
> > understand what is expected from his project at all levels. OPENSAMM is
> not
> > the right tool for this and I want to refresh your mind when in 2014
> > Samantha suggested this and this was a total failure.If you are a
> developer
> > you should understand ;-)
> >
> > OWASP does not offer the necessary financial support or a big developer
> > community to make grow a project at high level. ZAP is ZAP right now
> because
> > Mozilla is behind ZAP and recently ZAP got a grant from Linux. The look
> for
> > that grant was not supported by OWASP. A volunteer did that.
> >
> > b) Can OWASP Foundation provide the infrastructure and tooling to allow
> > these metrics to be met using automated means, thus improving our
> > understanding of incubator, labs, mature, and flagship projects?
> >
> > Partially. OWasp is a good place to market a project . Even other open
> > source developers use OWASP to promote their open source projects that
> are
> > not even part of OWASP , such as the BEEF project and many others.
> > OWASP has chapters and conferences where project leaders can promote
> their
> > projects, especially if the project leader has financial means. But
> OWASP is
> > no Linux nor Apache where you have a big community of DEVELOPERS ready to
> > participate and contribute with code. We lack that kind of skill from
> > volunteers in the community.
> > Thats why I mentioned, if OWASP wants to develop projects it need a
> serious
> > Volunteer Management Program to attract developers and match them with
> > projects that are really willing to make it.
> > OWASP can help projects with the Gsoc but lets face it, only a handful
> can
> > make it and are willing to participate.
> >
> > I decided to start some open source projects outside OWASP because I do
> not
> > see the benefit of having all these criteria and rules while OWASP does
> not
> > have the developer community neither the financial budget to help me
> develop
> > a project at high level. For me as a developer is easier to do it alone
> and
> > look for sponsors and grants and manage them as I need. Keep in mind
> that to
> > produce software of Quality a lot of effort in monetary means or time
> must
> > be invested. I have been a Developer and Team leader during my 17 years
> of
> > professional career and recently to get more around pen testing while
> doing
> > OSCP and graduated with a Msc in Information security back in 2009.
> >
> >
> > c) What is valuable to us as an organisation? We should work on those
> first.
> > Very good question. OWASP lacks many things to make it attractive for
> > Developers to start a project here. I mean Developers working on
> security so
> > most of these guys will start their own thing without OWASP.
> > Unfortunately many people starting projects at OWASP do it to promote
> > themselves or their security companies, not to really to 'develop an open
> > source project' for the long run. A kind of 'marketing tool'. So OWASP
> > attracts some people that are not exactly the target group you want to
> > develop software at a higher level.
> >
> > OWASP should reconsider focusing in what does best: Conferences and
> > chapters. Most people attracted to these are security professionals and
> > vendors looking to exchange information and discuss security
> > vulnerabilities. But I don't see Full time developers joining OWASP . Is
> not
> > really the place where you feel at home. We don't discuss how to develop
> > better software at a technical code level or how to improve frameworks
> > because we lack developers . Most discussions are around pen testing,
> > guidelines  and how to find vulnerabilities.Thats a complete different
> mind
> > set than a developer.
> >
> > Develop of secure code is about how to code secure and make it easier
> for a
> > developer to implement security. ESAPI was an attempt to that but right
> now
> > APACHE SHIRO is a much better option and easier to use imo. Microsoft is
> > doing an excellent work and many other frameworks like Node.JS are
> improving
> > their security.
> >
> >
> >
> >
> > On Mon, May 9, 2016 at 3:34 AM, Andrew van der Stock <vanderaj at owasp.org
> >
> > wrote:
> >>
> >> I see this as being
> >>
> >> a) how do we mature OWASP projects? OpenSAMM or CII or both
> >> b) Can OWASP Foundation provide the infrastructure and tooling to allow
> >> these metrics to be met using automated means, thus improving our
> >> understanding of incubator, labs, mature, and flagship projects?
> >> c) What is valuable to us as an organisation? We should work on those
> >> first.
> >>
> >> In the first instance, asking our flagship projects to self-assess if
> they
> >> are coding projects is going to be a light touch approach, and helps us
> >> understand where projects could invest SoC funding or drive volunteer
> effort
> >> in a targetted and focused way.
> >>
> >> So many times, people add complexity and features to an application, but
> >> do not drive quality and all the -alities of a good software project.
> >>
> >> Personally, we have a home grown set of principles with OpenSAMM, some
> of
> >> the best value for OWASP project *users* and *project owners* might be
> in
> >> the intersection of these two things.
> >>
> >> thanks
> >> Andrew
> >>
> >>
> >> On Mon, May 9, 2016 at 6:18 AM, Larry Conklin <larry.conklin at owasp.org>
> >> wrote:
> >>>
> >>> Johanna,  I think this is a may be a fair statement "Being someone who
> >>> has looked closely most projects code and development process, I can
> tell
> >>> with confidence , most, including those labeled as flagship , won't be
> able
> >>> to comply with these norms" but I am not as familiar with all the
> projects
> >>> as you are.
> >>>
> >>> But I think we have to step back a little a review.
> >>>
> >>> This process is for the badge part is a self assessment. That said all
> >>> developers in SourceForge, etc would never over state their own
> projects.
> >>> lol But I think is is a great idea and OWASP is moving down the same
> path.
> >>>
> >>> Our process that we are developing is a mix of self assessment and peer
> >>> review. More emphasis with peer review will be placed on Flagship
> projects
> >>> and not just self assessment. Also another major difference is we are
> also
> >>> trying to accomplish something different then what CII is trying to
> >>> accomplish and more inline with Apache open source. That is corralling
> in
> >>> the Wild Wild West and having projects have some of the same rigor that
> >>> Chapters have today. Like all projects have two leaders. Besides the
> self
> >>> assessment and peer review we are also looking at what we can automate
> to
> >>> help us.
> >>>
> >>> But I will be honest I think something keeps getting left out of the
> >>> discussion; Making OWASP a great place for security code projects. We
> are
> >>> well on our way rock and rolling with conferences, chapters, web, cheat
> >>> sheets, documentation. Now we need to rock and roll with Zap and other
> >>> projects making OWASP to place to be for secure coding projects
> helping with
> >>> application security. I would like to see more discussion on this.
> >>>
> >>> I have reviewed the badge process. A lot of it is now covered in our
> >>> assessment model. So that is a great thing and I thank you for
> bringing this
> >>> process into the discussion. It is important.
> >>>
> >>> Larry
> >>>
> >>> On Sat, May 7, 2016 at 11:07 AM, johanna curiel curiel
> >>> <johanna.curiel at owasp.org> wrote:
> >>>>
> >>>> Tom,
> >>>>
> >>>> CII Badge criteria is a heavy set of checklist to control that an open
> >>>> source project complies with certain norms in different fields such as
> >>>> proper development and security
> >>>>
> >>>> Being someone who has looked closely most projects code and
> development
> >>>> process, I can tell with confidence , most, including those labeled as
> >>>> flagship , won't be able to comply with these norms
> >>>>
> >>>> Right now I think OWASP needs to set focus on developing a better
> >>>> platform to attract developers, volunteers and project leaders,
> motivating
> >>>> them to produce quality projects.
> >>>>
> >>>> A volunteer program and platform that can help match volunteers with
> >>>> initiatives and projects.
> >>>>
> >>>> Producing a quality project like ZAP needs dedication and resources
> >>>> including a deep commitment to make it work. ZAP project leader and
> >>>> volunteers work 100% on ZAP, this is by no means a 'hobby' or side
> >>>> project.Even so ZAP is right now 92% compliant with the CII criteria
> and
> >>>> still needs to work on it.
> >>>>
> >>>> Most project leaders are doing this as side-hobby projects and in this
> >>>> way , we will never be able to pull off projects compliant with CII
> >>>> criteria.Most are lonely leaders building their projects when they
> have time
> >>>> and once in a while they have the collaboration of contributors.
> >>>>
> >>>> So we need to be realistic and be careful not to impose projects a
> >>>> criteria or process they will never be able to fulfill without the
> right
> >>>> platform and incentives.
> >>>>
> >>>> As I mentioned before I strongly recommend to focus on creating and
> >>>> building a volunteer program and really think through how to attract
> and
> >>>> retain volunteers, create initiatives that can help produce quality
> projects
> >>>> and work with those project leaders looking for help.
> >>>>
> >>>> Collaboration and support is the key for creating meaningful and
> lasting
> >>>> open source projects.
> >>>>
> >>>> Regards
> >>>>
> >>>> Johanna
> >>>>
> >>>>
> >>>>
> >>>> On Sat, May 7, 2016 at 10:16 AM, Tom Brennan - OWASP <tomb at owasp.org>
> >>>> wrote:
> >>>>>
> >>>>> "The stakes have never been higher for open-source software security.
> >>>>> With millions of people around the world relying on open source
> software —
> >>>>> and vulnerabilities like Heartbleed putting everyone at risk — it's
> time to
> >>>>> change the way we support, protect, and fortify open software."
> >>>>>
> >>>>> Interesting article and project(s) now available
> >>>>>
> >>>>> http://www.linuxinsider.com/story/83463.html
> >>>>>
> >>>>> Why should OWASP code based projects not work together on this
> >>>>> initiative in raising visibility for Software security, improving our
> >>>>> project quality and management.
> >>>>>
> >>>>> Discussion, Debate, Agreement where do you stand on it OWASP Leaders?
> >>>>>
> >>>>> https://www.coreinfrastructure.org/programs
> >>>>>
> >>>>>
> >>>>> Tom Brennan
> >>>>> GPG ID: DC6AA149 | Fingerprint: 12A6 9978 45BB 1562 C921  B228 BD0F
> >>>>> D9C6 DC6A A
> >>>>>
> >>>>> OWASP Foundation | www.owasp.org
> >>>>> Tel:  (m) 973-506-9304
> >>>>>
> >>>>> Need to book time with me to discuss an existing or a future project
> >>>>> click on my virtual calendar http://www.proactiverisk.com/brennan
> >>>>>
> >>>>> The information contained in this message and any attachments may be
> >>>>> privileged, confidential, proprietary or otherwise protected from
> >>>>> disclosure. If you, the reader of this message, are not the intended
> >>>>> recipient, you are hereby notified that any dissemination,
> distribution,
> >>>>> copying or use of this message and any attachment is strictly
> prohibited. If
> >>>>> you have received this message in error, please notify the sender
> >>>>> immediately by replying to the message, permanently delete it from
> your
> >>>>> computer and destroy any printout.
> >>>>> _______________________________________________
> >>>>> OWASP-Leaders mailing list
> >>>>> OWASP-Leaders at lists.owasp.org
> >>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>>>>
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> Johanna Curiel
> >>>> OWASP Volunteer
> >>>>
> >>>> _______________________________________________
> >>>> OWASP-Leaders mailing list
> >>>> OWASP-Leaders at lists.owasp.org
> >>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>>>
> >>>
> >>>
> >>> _______________________________________________
> >>> OWASP-Leaders mailing list
> >>> OWASP-Leaders at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>>
> >>
> >
> >
> >
> > --
> > Johanna Curiel
> > OWASP Volunteer
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
>
>
> The information contained in this message and any attachments may be
> privileged, confidential, proprietary or otherwise protected from
> disclosure. If you, the reader of this message, are not the intended
> recipient, you are hereby notified that any dissemination, distribution,
> copying or use of this message and any attachment is strictly prohibited.
> If you have received this message in error, please notify the sender
> immediately by replying to the message, permanently delete it from your
> computer and destroy any printout.
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160510/2cd4d921/attachment-0001.html>


More information about the OWASP-Leaders mailing list