<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    > we run around with our hands in the air when drama hits Twitter
    more than than normal.<br>
    <br>
    I would rephrase that as "some of us who actually give a sh%t go and
    fix the problem as best we can"<br>
    <br>
    - Jim<br>
    <br>
    <div class="moz-cite-prefix">On 2/11/16 9:52 PM, Andrew van der
      Stock wrote:<br>
    </div>
    <blockquote
cite="mid:CAEdoTfKQQPsj0wKGCzeicWV7Au9A6b33j5-0jTiHNgLx73dgPw@mail.gmail.com"
      type="cite">
      <div dir="ltr">I think this also comes down to the infrastructure
        transformation that I've asked Matt T to get ready for us since
        our last F2F at AppSec USA. We need to simplify our IT fleet,
        and really get it behind a proper enterprise architecture,
        rather than a rag tag collection of out of date stuff that we
        inherit. We only have so much Matt T time to maintain this
        stuff, and so pen testing it without also addressing the root
        cause: we have no idea where all our stuff is, who has admin,
        how it authenticates, we don't monitor it for attacks, and we
        don't have an IR plan and we run around with our hands in the
        air when drama hits Twitter more than than normal.
        <div><br>
        </div>
        <div>I want a transformation plan, where we have only one of
          everything, and all the things we have is well managed and
          monitored. This will reduce our IT costs, and be better
          aligned with the resources we currently allocate to this
          task. </div>
        <div><br>
        </div>
        <div>This is not rocket science. </div>
        <div><br>
        </div>
        <div>thanks,</div>
        <div>Andrew</div>
        <div><br>
        </div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Fri, Feb 12, 2016 at 4:18 PM, Jim
          Manico <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000"> +1 Thank you wall for
              security researchers who have helped us find bugs!<br>
              <br>
              Good stuff Tom, thanks for getting this started. I'm sure
              Josh will be especially interested in this.<br>
              <br>
              Aloha,<br>
              Jim
              <div>
                <div class="h5"><br>
                  <br>
                  <br>
                  <div>On 2/11/16 9:13 AM, Tom Brennan - OWASP wrote:<br>
                  </div>
                  <blockquote type="cite">Post mortem of fixes would be
                    nice to have and a wall of thank you should be
                    established yes?
                    <div><br>
                    </div>
                    <div>*draft*<span></span></div>
                    <div><a moz-do-not-send="true"
                        href="https://www.owasp.org/index.php/About_OWASP/Bug_Bounty"
                        target="_blank">https://www.owasp.org/index.php/About_OWASP/Bug_Bounty</a><br>
                      <br>
                      Tom Brennan<br>
                      Global Board of Directors<br>
                      (d) <a moz-do-not-send="true"
                        href="tel:973-506-9304" value="+19735069304"
                        target="_blank">973-506-9304</a><br>
                      <br>
                      OWASP Foundation | <a moz-do-not-send="true"
                        href="http://www.owasp.org" target="_blank">www.owasp.org</a><br>
                      <br>
                      <br>
                      On Thu, Feb 11, 2016 at 1:48 AM, Jim Manico <<a
                        moz-do-not-send="true"
                        href="mailto:jim.manico@owasp.org"
                        target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a></a>>
                      wrote:<br>
                      > Right, but two OWASP researchers posted live
                      bugs over Twitter today. We<br>
                      > have to deal with it Kevin. I'd rather we
                      know than not know, sooner than<br>
                      > later. One of the bugs noted I fixed earlier
                      today.<br>
                      ><br>
                      > Knowing is half the battle.<br>
                      ><br>
                      > Aloha,<br>
                      > Jim<br>
                      ><br>
                      ><br>
                      > On 2/10/16 10:14 PM, Kevin W. Wall wrote:<br>
                      ><br>
                      > And to add to Timo's thoughts...if we have an
                      RFP to redo the OWASP site, if<br>
                      > we do put out a bug bounty, perhaps we should
                      wait until that effort is<br>
                      > finished, otherwise we may end up fixing
                      things twice.<br>
                      ><br>
                      > -kevin<br>
                      ><br>
                      > On Thu, Feb 11, 2016 at 1:04 AM, Timo Goosen
                      <<a moz-do-not-send="true"
                        href="mailto:timo.goosen@owasp.org"
                        target="_blank">timo.goosen@owasp.org</a>>
                      wrote:<br>
                      >><br>
                      >> "But in the meantime, here are a few
                      resources to report your findings to<br>
                      >> if you run into security issues (and I
                      use "run into" with intention because<br>
                      >> you would never just start actively
                      testing a website for security without<br>
                      >> permission in some way, right? Because
                      doing so is a major criminal act in<br>
                      >> most countries, right?)"<br>
                      >> Depends. I've found bugs on sites before,
                      unintentionally just by clicking<br>
                      >> around.<br>
                      >><br>
                      >> On the idea of a bug bounty project for
                      OWASP. The idea is good, but I<br>
                      >> don't think that OWASP has the resources
                      to deal with a bug bounty program<br>
                      >> and the flood of reports that will
                      becoming in. Researchers get very annoyed<br>
                      >> if you don't respond promptly and take
                      them seriously. Just something to<br>
                      >> consider.<br>
                      >><br>
                      >> Regards.<br>
                      >> Timo<br>
                      >><br>
                      >> On Thu, Feb 11, 2016 at 6:15 AM, Jim
                      Manico <<a moz-do-not-send="true"
                        href="mailto:jim.manico@owasp.org"
                        target="_blank">jim.manico@owasp.org</a>>
                      wrote:<br>
                      >>><br>
                      >>> Folks,<br>
                      >>><br>
                      >>> A few OWASP researchers have found
                      bugs on OWASP's wiki and decided to<br>
                      >>> disclose them in public over twitter
                      before reporting to OWASP.<br>
                      >>><br>
                      >>> Can you please disclose to me or Matt
                      Tesauro or use the contact form or<br>
                      >>> do anything other than disclose in
                      public before discussing this with OWASP<br>
                      >>> IT staff and support?<br>
                      >>><br>
                      >>> Also, Josh Sokol is in the middle of
                      ramping up a more formal bug bounty<br>
                      >>> program and will provide a more
                      formal method for disclosure in the near<br>
                      >>> future.<br>
                      >>><br>
                      >>> But in the meantime, here are a few
                      resources to report your findings to<br>
                      >>> if you run into security issues (and
                      I use "run into" with intention because<br>
                      >>> you would never just start actively
                      testing a website for security without<br>
                      >>> permission in some way, right?
                      Because doing so is a major criminal act in<br>
                      >>> most countries, right?)<br>
                      >>><br>
                      >>> Thanks all.<br>
                      >>><br>
                      >>> Matt Tesauro: <a
                        moz-do-not-send="true"><a class="moz-txt-link-abbreviated" href="mailto:matt.tesauro@owasp.org">matt.tesauro@owasp.org</a></a><br>
                      >>> Jim Manico:  <a
                        moz-do-not-send="true"><a class="moz-txt-link-abbreviated" href="mailto:jim@owasp.org">jim@owasp.org</a></a><br>
                      >>> Contact Form: <a
                        moz-do-not-send="true"
                        href="https://www.tfaforms.com/308703"
                        target="_blank"><a class="moz-txt-link-freetext" href="https://www.tfaforms.com/308703">https://www.tfaforms.com/308703</a></a><br>
                      >>><br>
                      >>> Aloha,<br>
                      >>> Jim Manico<br>
                      >>> OWASP Global Board Member<br>
                      >>><br>
                      >>>
                      _______________________________________________<br>
                      >>> OWASP-Leaders mailing list<br>
                      >>> <a moz-do-not-send="true">OWASP-Leaders@lists.owasp.org</a><br>
                      >>> <a moz-do-not-send="true"
                        href="https://lists.owasp.org/mailman/listinfo/owasp-leaders"
                        target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                      >>><br>
                      >><br>
                      >><br>
                      >>
                      _______________________________________________<br>
                      >> Owasp-community mailing list<br>
                      >> <a moz-do-not-send="true">Owasp-community@lists.owasp.org</a><br>
                      >> <a moz-do-not-send="true"
                        href="https://lists.owasp.org/mailman/listinfo/owasp-community"
                        target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-community</a><br>
                      >><br>
                      ><br>
                      ><br>
                      ><br>
                      > --<br>
                      > Blog: <a moz-do-not-send="true"
                        href="http://off-the-wall-security.blogspot.com/"
                        target="_blank">http://off-the-wall-security.blogspot.com/</a> 
                        | Twitter: @KevinWWall<br>
                      > NSA: All your crypto bit are belong to us.<br>
                      ><br>
                      ><br>
                      ><br>
                      >
                      _______________________________________________<br>
                      > Owasp-community mailing list<br>
                      > <a moz-do-not-send="true">Owasp-community@lists.owasp.org</a><br>
                      > <a moz-do-not-send="true"
                        href="https://lists.owasp.org/mailman/listinfo/owasp-community"
                        target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-community</a><br>
                      ><br>
                      <br>
                    </div>
                    <br>
                    <br>
                    -- <br>
                    <br>
                    Tom Brennan<br>
                    Global Board of Directors <br>
                    NYC/NJ Metro Chapter Leader<br>
                    (d) <a moz-do-not-send="true"
                      href="tel:973-506-9304" value="+19735069304"
                      target="_blank">973-506-9304</a><br>
                    <br>
                    OWASP Foundation | <a moz-do-not-send="true"
                      href="http://www.owasp.org" target="_blank">www.owasp.org</a><br>
                    <br>
                    <font style="background-color:white" color="#808080"
                      size="2"><span style="font-family:'times new
                        roman'">The information contained in this
                        message and any attachments may be privileged,
                        confidential, proprietary or otherwise protected
                        from disclosure. If you, the reader of this
                        message, are not the intended recipient, you are
                        hereby notified that any dissemination,
                        distribution, copying or use of this message and
                        any attachment is strictly prohibited. If you
                        have received this message in error, please
                        notify the sender immediately by replying to the
                        message, permanently delete it from your
                        computer and destroy any printout.</span></font>
                  </blockquote>
                  <br>
                </div>
              </div>
            </div>
            <br>
            _______________________________________________<br>
            OWASP-Leaders mailing list<br>
            <a moz-do-not-send="true"
              href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a><br>
            <a moz-do-not-send="true"
              href="https://lists.owasp.org/mailman/listinfo/owasp-leaders"
              rel="noreferrer" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
            <br>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </body>
</html>