[Owasp_framework_security_project] Welcome!

Chris Varenhorst varenc at gmail.com
Mon Sep 16 17:03:26 UTC 2013

hey all,

I'm Chris and I'm a software engineer at Dropbox where I like to do
security stuff sometimes.

I'm also irrationally excited about getting web frameworks to send
X-Frame-Options: DENY by default.


On Sun, Sep 15, 2013 at 9:36 AM, James Landis <james.landis at owasp.org>wrote:

> Michael, are you going to introduce yourself, too? :)
> I'm a SDLC/governance guy, currently living in the Bay Area and working
> for a little company called eBay, though I cut my teeth doing consulting
> work around the world for many years prior. Much of that work was app pen
> testing and training. It got frustrating over time finding the same exact
> problems over and over again. It got to the point where I would ask my
> customers if they were doing any of a short list of things, and if not I
> would tell them not to waste money doing pen tests since I could already
> tell them what they were going to find.
> I'm also the project lead for the OWASP Periodic Table. The main guiding
> principle of that project is that, like buffer overflow, most vulnerability
> classes can be solved before an app developer even has a chance to write
> the first line of custom code. One of the things I think that means is that
> a framework shouldn't just expose security APIs, but it should be
> architected in such a way as to make it impossible to even make security
> mistakes at all! I'm excited to be a part of this effort to see if the
> theories we have can actually be implemented in the real world. As part of
> the project, we've already done a ton of legwork documenting high-level
> framework solution requirements; I'm looking forward to seeing how that
> rubber meets the road when it comes to low-level implementation!
> Thanks for the opportunity to join this team.
> -j
>  On Sep 11, 2013 8:37 PM, "Michael Coates" <michael.coates at owasp.org>
> wrote:
>> Welcome to the OWASP Framework Security Project,
>> We have our project page setup here:
>> https://www.owasp.org/index.php/OWASP_Framework_Security_Project
>> an example of the matrix we can build for framework controls is listed
>> here:
>> https://www.owasp.org/index.php/OWASP_Framework_Security_Project#tab=Frameworks__26_Security_Controls
>> I've added some of the high level information on the project and our
>> goals.
>> We need to do a few things first:
>> 1. What type of people do we have on the list? Please do introduce
>> yourself and also indicate if you are a Framework Developer, Security
>> Professional, a
>> Framework Leader or something else all together.
>> 2. We need to decide on the frameworks and controls we want to focus on
>> first. This will be partially impacted by our initial resources and
>> connections
>> 3. We need to build the list of available security controls and which
>> frameworks support what (starting with the framework we picked in step 2).
>> Then we'll move into coordination with the framework teams and go from
>> there.
>> With that, welcome! Please introduce yourself to the list.
>> *
>> *
>> --
>> Michael Coates | OWASP | @_mwc
>> _______________________________________________
>> Owasp_framework_security_project mailing list
>> Owasp_framework_security_project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp_framework_security_project
> _______________________________________________
> Owasp_framework_security_project mailing list
> Owasp_framework_security_project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_framework_security_project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_framework_security_project/attachments/20130916/8d1dceb7/attachment.html>

More information about the Owasp_framework_security_project mailing list