james.landis at owasp.org
Sun Sep 15 16:36:43 UTC 2013
Michael, are you going to introduce yourself, too? :)
I'm a SDLC/governance guy, currently living in the Bay Area and working for
a little company called eBay, though I cut my teeth doing consulting work
around the world for many years prior. Much of that work was app pen
testing and training. It got frustrating over time finding the same exact
problems over and over again. It got to the point where I would ask my
customers if they were doing any of a short list of things, and if not I
would tell them not to waste money doing pen tests since I could already
tell them what they were going to find.
I'm also the project lead for the OWASP Periodic Table. The main guiding
principle of that project is that, like buffer overflow, most vulnerability
classes can be solved before an app developer even has a chance to write
the first line of custom code. One of the things I think that means is that
a framework shouldn't just expose security APIs, but it should be
architected in such a way as to make it impossible to even make security
mistakes at all! I'm excited to be a part of this effort to see if the
theories we have can actually be implemented in the real world. As part of
the project, we've already done a ton of legwork documenting high-level
framework solution requirements; I'm looking forward to seeing how that
rubber meets the road when it comes to low-level implementation!
Thanks for the opportunity to join this team.
On Sep 11, 2013 8:37 PM, "Michael Coates" <michael.coates at owasp.org> wrote:
> Welcome to the OWASP Framework Security Project,
> We have our project page setup here:
> an example of the matrix we can build for framework controls is listed
> I've added some of the high level information on the project and our goals.
> We need to do a few things first:
> 1. What type of people do we have on the list? Please do introduce
> yourself and also indicate if you are a Framework Developer, Security
> Professional, a
> Framework Leader or something else all together.
> 2. We need to decide on the frameworks and controls we want to focus on
> first. This will be partially impacted by our initial resources and
> 3. We need to build the list of available security controls and which
> frameworks support what (starting with the framework we picked in step 2).
> Then we'll move into coordination with the framework teams and go from
> With that, welcome! Please introduce yourself to the list.
> Michael Coates | OWASP | @_mwc
> Owasp_framework_security_project mailing list
> Owasp_framework_security_project at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp_framework_security_project