<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p>+1 as well. What a well thought out idea Todd. There is a lot of
      discussion going on about the next phase of maturing projects, do
      you have time to participate? <br>
    </p>
    <p>Aloha, Jim<br>
    </p>
    <br>
    <div class="moz-cite-prefix">On 5/20/16 6:41 PM, Tony UV wrote:<br>
    </div>
    <blockquote
cite="mid:4F6CAA4A3945BFBA.2BA30E08-077D-489E-855D-6A32C6B98A86@mail.outlook.com"
      type="cite">
      <div>+1<br>
        <br>
        <div class="acompli_signature">Get <a moz-do-not-send="true"
            href="https://aka.ms/o0ukef">Outlook for iOS</a></div>
        <br>
      </div>
      <br>
      <br>
      <br>
      <div class="gmail_quote">On Fri, May 20, 2016 at 11:35 AM -0700,
        "Todd Grotenhuis" <span dir="ltr"><<a moz-do-not-send="true"
            href="mailto:todd.grotenhuis@owasp.org" target="_blank">todd.grotenhuis@owasp.org</a>></span>
        wrote:<br>
        <br>
        <blockquote class="gmail_quote" style="margin:0 0 0
          .8ex;border-left:1px #ccc solid;padding-left:1ex">
          <div dir="3D"ltr"">
            <div dir="ltr">(That list is not meant to be exhaustive or
              final, just an example starting point that I think is more
              helpful than the current categorization)</div>
            <div class="gmail_extra"><br>
              <div class="gmail_quote">On Fri, May 20, 2016 at 2:28 PM,
                Todd Grotenhuis <span dir="ltr"><<a
                    moz-do-not-send="true"
                    href="mailto:todd.grotenhuis@owasp.org"
                    target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:todd.grotenhuis@owasp.org">todd.grotenhuis@owasp.org</a></a>></span>
                wrote:<br>
                <blockquote class="gmail_quote" style="margin:0 0 0
                  .8ex;border-left:1px #ccc solid;padding-left:1ex">
                  <div dir="ltr">It seems that categorizing the projects
                    in "offense" and "defense" may exacerbate the
                    problem, acting as if these resources are at odds
                    with each other in improving security. Both
                    "offense" and "defense" projects are truly defense
                    projects, and many practitioners use tools form both
                    "categories" in pursuit of their work. I wonder if
                    it might be better to address what type of defense
                    they are:
                    <div><br>
                    </div>
                    <div>Secure Design and Architecture - tools &
                      references</div>
                    <div>Monitoring and Detection - tools &
                      references</div>
                    <div>Security Testing - tools & references</div>
                    <div>Secure Business Processes - references</div>
                  </div>
                  <div class="HOEnZb">
                    <div class="h5">
                      <div class="gmail_extra"><br>
                        <div class="gmail_quote">On Fri, May 20, 2016 at
                          1:02 PM, Timothy D. Morgan <span dir="ltr"><<a
                              moz-do-not-send="true"
                              href="mailto:tim.morgan@owasp.org"
                              target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:tim.morgan@owasp.org">tim.morgan@owasp.org</a></a>></span>
                          wrote:<br>
                          <blockquote class="gmail_quote"
                            style="margin:0 0 0 .8ex;border-left:1px
                            #ccc solid;padding-left:1ex"><span><br>
                              > Respectfully, and that you
                              understand, I'm more than a ZAP fan. I<br>
                              > contribute/promote this project .
                              Don't get me wrong, ZAP is my favourite<br>
                              > tool and I just feel like they have
                              used something I care for bad purposes,<br>
                              > like thieves that steals your car to
                              commit a bank robbery.<br>
                              ><br>
                              > I think we need to at least
                              incentive(not only financially) and
                              motivate<br>
                              > more research into defending
                              applications. Our defender projects help
                              but<br>
                              > they are far out cry to really make a
                              difference.<br>
                              <br>
                              <br>
                            </span>Ok, so we all agree tools are just
                            tools and they can be used for good or<br>
                            evil.  Let's put that behind us, yeah?<br>
                            <br>
                            <br>
                            I think the point Johanna is making is that
                            while there are a lot of offensive<br>
                            tools in the OWASP lineup to help everyone
                            *understand* what the security<br>
                            problems are, there are fewer mature tools
                            projects on the defense side to help<br>
                            developers solve them.<br>
                            <br>
                            Is that a problem?  Is it just the nature of
                            the beast that our solutions on<br>
                            the defense side involve more documentation,
                            testing guides, and awareness<br>
                            campaigns?  I'm actually not sure the answer
                            to that.<br>
                            <br>
                            What I do think, however, is that while
                            technical frameworks designed for<br>
                            defense are a great idea, they aren't going
                            to be adopted by the<br>
                            majority of developers who need it if they
                            are developed as independent<br>
                            libraries/modules/etc.  The developers who
                            need it have never heard of OWASP,<br>
                            and even if they have, they aren't
                            sufficiently motivated to go out of their
                            way<br>
                            to integrate a security framework into their
                            day-to-day development.  So I<br>
                            don't think adding a bunch more defense
                            tools is really the answer unless those<br>
                            are somehow integrated into standard
                            frameworks and development platforms.<br>
                            <br>
                            tim<br>
                            <div>
                              <div>_______________________________________________<br>
                                OWASP-Leaders mailing list<br>
                                <a moz-do-not-send="true"
                                  href="mailto:OWASP-Leaders@lists.owasp.org"
                                  target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
                                <a moz-do-not-send="true"
                                  href="https://lists.owasp.org/mailman/listinfo/owasp-leaders"
                                  rel="noreferrer" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                              </div>
                            </div>
                          </blockquote>
                        </div>
                        <br>
                      </div>
                    </div>
                  </div>
                </blockquote>
              </div>
              <br>
            </div>
          </div>
        </blockquote>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
OWASP-Leaders mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a>
<a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-leaders">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>