[Owasp_sdl] SDL

Jerry Hoff jerry at owasp.org
Tue Mar 8 12:17:25 EST 2011


Hi Jeremy,

Great points.  Here are my thoughts:

1 - Agreed on avoid re-hashing, but personally I have found it useful
when advising clients on SDL matters to have a list of available owasp
and other resources at hand to give them.  Agreed also that the SDL
focuses on Microsoft platforms - however it is to be expected that we
may determine none, some or even all of the steps may need to be
reorganized or revised to fit more general needs. 

2 - It sounds like these would be all be fantastic.  To start with, I
think we should focus on OWASP SDL for Web Development, since the
primary focus of OWASP (but obviously not the exclusive focus) is web
development.  I think then quickly following after the SDL for web would
be SDL for mobile & SDL for cloud.

Thoughts anyone?

Thank you Jeremy,
Jerry

On 3/8/11 10:37 AM, Jeremy Dallman wrote:
> A couple of quick thoughts here... I'll sit down and think about this more in the coming days.
>
> 1. Scope: It would be great if we could focus on a platform to avoid re-hashing resources that are already available in our first round. I think this would provide a level of value to OWASP customers that they cannot find elsewhere. The Microsoft SDL obviously focuses on Microsoft platforms. Showing that the Simplified SDL model applies to platforms outside of Microsoft would be a great message.
>
> 2. As for naming: I'm fine with OWASP SDL Project, but it may garner more attention if we accentuate the platform we are focusing on (assuming #1)...e.g. "SDL for OpenBSD" or "SDL for Cloud" or "SDL for Mobile".
>
> Jeremy Dallman
> Senior Security Program Manager
> Security Development Lifecycle 
> Microsoft Security Engineering Center
> p: 425.705.6787
> c: 425.761.2011
>
> -----Original Message-----
> From: owasp_sdl-bounces at lists.owasp.org [mailto:owasp_sdl-bounces at lists.owasp.org] On Behalf Of Anurag Agarwal
> Sent: Monday, March 07, 2011 6:34 PM
> To: 'Jerry Hoff'; owasp_sdl at lists.owasp.org
> Subject: Re: [Owasp_sdl] SDL
>
> I think it's a good start. Just one thing though. There are so many resources related to SDL outside of OWASP, which should be mentioned too.
>
>
> Thanks,
>
> Anurag Agarwal
> MyAppSecurity Inc
> Cell - 919-244-0803
> Email - anurag at myappsecurity.com
> Website - http://www.myappsecurity.com
> Blog - http://myappsecurity.blogspot.com LinkedIn - http://www.linkedin.com/in/myappsecurity 
>
> -----Original Message-----
> From: owasp_sdl-bounces at lists.owasp.org
> [mailto:owasp_sdl-bounces at lists.owasp.org] On Behalf Of Jerry Hoff
> Sent: Tuesday, March 08, 2011 4:19 AM
> To: owasp_sdl at lists.owasp.org
> Subject: [Owasp_sdl] SDL
>
> Hello OWASP SDL members!
>
> Time to get this list talking.  Sorry, I have been in flux over the last few weeks - basically moving from Asia to North America.  But at last I am on terra firma.
>
> To get started, we should decide a few things:
>
> 1) Name of the project.  Is "the OWASP SDL project" acceptable, or does anyone have any other suggestions?
> 2) Scope of the project.  My basic roadmap is the following:
>
>     - Version 1: Go through the existing Simplified Implementation of the SDL and map it to existing OWASP resources
>     - Release Version 1, and collect feedback from the community
>    
>     - Version 2: Based on information collected, add/remove/alter SDL Phases and/or practices
>     - Release Version 2, and collect feedback from the community ....
> (repeat indefinitely)
>
> This is just to get the conversation started - suggestions? 
>
> Thanks team,
>
> Jerry
> _______________________________________________
> Owasp_sdl mailing list
> Owasp_sdl at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_sdl
>
> _______________________________________________
> Owasp_sdl mailing list
> Owasp_sdl at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_sdl
>



More information about the Owasp_sdl mailing list