[Owasp-o2-platform] Fwd: For comment: OWASP references on SI's Press Release, Commercial Support of an OWASP project

dinis cruz dinis.cruz at owasp.org
Thu Aug 18 13:56:19 EDT 2011

For the ones that are not on the owasp-leaders list, I would like to ask the
same two questions to you (see forwarded email below), namely on the SI's
official support of O2

btw, if you work for a company that also would like to provide these
services, now would be a good time to 'go official' :)

Dinis Cruz

Begin forwarded message:

*From:* dinis cruz <dinis.cruz at owasp.org>
*Date:* 18 August 2011 18:25:32 GMT+01:00
*To:* owasp-leaders at lists.owasp.org
*Cc:* Maureen Robinson <mrobinson at securityinnovation.com>,  Tom Bain <
tbain at securityinnovation.com>
*Subject:* *For comment: OWASP references on SI's Press Release, Commercial
Support of an OWASP project*

As some of might have noticed, I recently joined SI (Security  Innovation)
as an Employee (for more details on why I did it, see this personal blog

Due to the power of the OWASP brand, SI's marketing department wants to
issue a Press Release (PR) with this bit of news. This has happen a number
of times before for other OWASP leaders and products, and sometimes the fine
line of 'marketing' and abusing the OWASP brand (or overstating particular
facts) gets crossed. For example, SI did issue a Press Release a couple
months ago that could had benefited from some OWASP peer review :).

Part of what I want to do at SI, is to create frame-of-references/examples
for how commercial companies should behave around OWASP, and SI (so far) has
tried very hard to play by OWASP rules (even when they don't exist or are
not explicitly defined). Not to say that they haven't made mistakes in the
past, but they are trying hard.

So, the first part of this email is a question to you: "Is the PR included
at the end of this email OK?'   Please be brutal in your feedback and if you
fell changes should be made, please let us know (I'm CCing Tom and Maureen
from SI marketing department, so if relevant, please include them on your
replies (the cut-of-point is next Monday at 12pm EST, with a publishing date
of Tuesday)). I made some changes to the original version, but remember that
this is a Press Release :)

The 2nd question on this email is related to the fact that SI is going to
offer (i.e. sell) commercial Support for an OWASP project, in this case the
OWASP O2 Platform.

The original focus is going to be on using O2 to customise existing AppSec
tools in order to make them 'Framework Aware', and on the automation of
AppSec security reviews (i.e. delivering of security findings as unit tests
for developers). Btw, I'm still hurting from the fact that SI (due to market
demand) wants to build training content on ESAPI and not on O2  :)

The question is: "How can this type of services be represented at OWASP's
website and to OWASP's community?"

For example what disclaimers should be make to make sure this is not
perceived as an 'OWASP provided service'. Maybe we should create a Code of
Conduct book for these cases?

I believe this to be a really good development for OWASP, and I do wish that
other companies provided commercial support/services on OWASP projects, for
example: WebGoat, ESAPI, ASVS, WebScarab/Zap, Top 10, Legal, Encoding
libraries, Testing/Code/Developer guides, Cheat-Sheets, etc...

Of course that since OWASP projects are all licensed with an OpenSource or
CC license, it will not be possible for ONE company to be the ONLY provider
of theses services. Ideally we should have multiple companies providing
these commercial services (each with its own unique positioning, strengths
and offerings). It would then be a case of the market deciding on which one
they want to reward with their businesses.

These are unchartered territories, but the good news is that finally (with
SI's officially supporting O2) we have a real world scenario to deal with
(in the past we spent too much time theorising about the multiple
hypothetical scenarios and abuses)

The best way to get things done at OWASP is to try new ideas, see how they
go, listen to the feedback received, and improve on the next version.

So me and SI are kickstarting this, and hopefully others will follow.

(note: there is already an OWASP project that was going to try to get
happen, but it had no energy, maybe now is the time to restart it)

Dinis Cruz

(below is the full text of the PR that will be published next Tuesday)

Security Innovation Announces the Hiring of Web Application Security
Expert Dinis
Cruz as

Principal Security Engineer

Wilmington, Mass., August 22, 2011 – Security
,a leading organization specializing in application security products and
services, has announced that it has hired Dinis Cruz as Principal Security
Engineer. This strategic appointment supports Security Innovation’s goal,
which is to provide its customers with solutions designed to help protect
their most coveted assets through securely developing applications.

Cruz will serve as a lead architect and visionary, driving the design and
evolution of the company’s knowledgebase repository product,
TeamMentor Enterprise
Edition. Cruz will be responsible for re-architect the solution to better
serve security and development  teams, with a particular focus on
integration with other products, frameworks, and automatedassessment
activities. He’ll also continue to lead the company’sstrategic initiatives
with the open-source community.

“Dinis has been a part of our extended team, working on product development
projects over the last several months. Now that he is officially joining us
as an employee, we’re excited to have him fully engaged, enhancing our
unique portfolio of application security-specific products and services,”
said Jason Taylor, chief technology officer, Security Innovation. “We are
focused on adding respected application security experts to our staff to
enable our customers to build the most secure applications in the world.”

Cruz brings extensive Web application security experience to his role with
Security Innovation. Previously, Cruz served as Director of Advanced
Technology with Ounce Labs and specialized in code reviews, penetration
testing, ASP.NETapplication security and security engineering. As an active
OWASP leader and contributor, Cruz has been rewriting the Open Source OWASP
O2 Platform. He served as an OWASP Board Member (2005 to 2011) and has lead
important initiatives like the OWASP Seasons of Code, OWASP Summits (2008
and 2011), OWASP books, and a number of OWASP .NET projects. As the main
developer of OWASP O2 Platform, Cruz’s vision is to automate application
security knowledge and he has designed O2 to be an industry standard for
data-sharing between WebAppSec tools, consultants and final users. He is
also a regular industry speaker, having delivered technical presentations
and training at numerous OWASP conferences and BlackHat.

Cruz will also work closely with SI’s Application Security services team
delivering software and SDLC
assessments<http://www.securityinnovation.com/services/> and
help to create Security Innovation supported versions of the OWASP O2
Platform, Specifically, this effort is designed to integrate and consolidate
the data created by tools or services like IBM Rational AppScan, Veracode,
WhiteHat, Microsoft CAT.NET, OWASP Zap Proxy, Burp Proxy, HP Fortify and
other open source tools to make them ‘Framework Aware’ and connect them with
existing SDLC tools and processes.

“What started as writing some code for TeamMentor a few months ago, turned
into a longer-term project that really allowed me to get a feeling for what
it’s like to work with Security Innovation,” said Cruz. “I was impressed by
the company’s application security knowledge and there was an obvious synergy
between us. We believe in the same best practices and methodologies for
architecting secure software and making that knowledge broadly available.”
he added.

Cruz is an active blogger. His views on joining Security Innovation and
other security-related topics can be found on theDinis Cruz
 and on Security Innovation’s Application and Cyber Security

About Security Innovation
Security Innovation is an established leader in the application security and
cryptography space. For over a decade the company has provided products,
training and consulting services to help organizations build and deploy more
secure systems and improve the process by which their applications are
Security Innovation built upon its core competencies in application security
with the acquisition of NTRUCryptoSystems in 2009, a company that developed
proprietary, standardized algorithms. This resulted in the strongest and
fastest public key cryptography available and the means to overcome
historical performance barriers that have plagued the encryption industry.
With these core strengths intact, Security Innovation is in a position to
help organizations protect their data at two critical points: while
applications are accessing it and during transmission. The company’s
flagship products include
the industry’s largest library of application eLearning courses, and
a web-based secure development methodologies product.

Security Innovation is privately held and is headquartered in Wilmington, MA
Note to Editors: Security Innovation, NTRUEncrypt,TeamMentor, TeamProfessor and
the Security Innovation logo are trademarks of Security Innovation. All
other brand names may be trademarks of their respective owners.

Maureen Robinson
Security Innovation
(978) 694-1008 X21
mrobinson at securityinnovation.com

April Corso
Lois Paul & Partners
(781) 782-5831
april_corso at lpp.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20110818/43a4b7fa/attachment-0001.html 

More information about the Owasp-o2-platform mailing list