[Owasp_sdl] SDL

Jerry Hoff jerry at owasp.org
Wed Mar 9 12:08:21 EST 2011


Hi Anurag,

Cool - I'm really, really big into collecting data/observation as a 
first step towards everything in life.  We can and should reach out to 
both small/mid/large cap companies and get information from their sec 
folk.  The collection of data is always good.

However, this isn't to say that the findings should override the 
existing SDL we have at hand, developed at Microsoft.  The very nature 
of cutting-edge research is that everyone *isn't* doing it.

Is anyone in the "anti-data collection" camp?  If so, feel free to make 
your case.  People in the "pro-data collection" camp, please throw out 
examples of questions we can put into a questionnaire and then send out 
to sec folk.

In the meantime, it would be good to start at least generally mapping 
existing, mature OWASP projects into the existing phases of the current 
simplified SDL.  I'll make a google doc for that end and send out the link.

Jerry



On 3/9/11 10:55 AM, Anurag Agarwal wrote:
> Jerry - you would be surprised how many large enterprises are looking for
> something like this. Though I agree with you that they may have resources
> but most of those people don't come from development background and pick and
> choose what they understand or can implement. OWASP SDL might give them a
> proper structure around it. For e.g. Keith Turpin may not need it but Nishi
> might find it useful.
>
> By no means am I suggesting we should get them on board but I think it
> wouldn't hurt if they do join us. We can send them an invite and its upto
> them to join.
>
> Just my .02 cents.
>
> Thanks,
>
> Anurag Agarwal
> MyAppSecurity Inc
> Cell - 919-244-0803
> Email - anurag at myappsecurity.com
> Website - http://www.myappsecurity.com
> Blog - http://myappsecurity.blogspot.com
> LinkedIn - http://www.linkedin.com/in/myappsecurity
>
> -----Original Message-----
> From: Jerry Hoff [mailto:jerry at owasp.org]
> Sent: Wednesday, March 09, 2011 11:48 AM
> To: Anurag Agarwal
> Cc: 'Jeremy Dallman'; owasp_sdl at lists.owasp.org
> Subject: Re: [Owasp_sdl] SDL
>
> Hi Anurag,
>
> Well, that brings up a good point.  BSIMM apparently did just that, so
> that research is more or less out there already.  My gut feeling is that
> the most likely candidates to use the OWASP SDL are small-to-mid sized
> companies.  Large companies will have dedicated resources / consultants
> to put together a custom SDL for them.
>
> So if we were going to seek more input, I think it should be security
> folk from small / mid-cap companies who have put together a successful
> security program with more limited resources.
>
> Rowdy dissension welcome...
>
> Jerry
>
>
>
>
> On 3/9/11 8:22 AM, Anurag Agarwal wrote:
>> Hey guys - Do you think we should get security folks from couple of large
>> enterprises to be a part of this group and share their experiences on what
>> works and what doesn't for them.
>>
>> Thoughts?
>>
>>
>> Thanks,
>>
>> Anurag Agarwal
>> MyAppSecurity Inc
>> Cell - 919-244-0803
>> Email - anurag at myappsecurity.com
>> Website - http://www.myappsecurity.com
>> Blog - http://myappsecurity.blogspot.com
>> LinkedIn - http://www.linkedin.com/in/myappsecurity
>>
>> -----Original Message-----
>> From: Jerry Hoff [mailto:jerry at owasp.org]
>> Sent: Tuesday, March 08, 2011 12:17 PM
>> To: Jeremy Dallman
>> Cc: Anurag Agarwal; owasp_sdl at lists.owasp.org
>> Subject: Re: [Owasp_sdl] SDL
>>
>> Hi Jeremy,
>>
>> Great points.  Here are my thoughts:
>>
>> 1 - Agreed on avoid re-hashing, but personally I have found it useful
>> when advising clients on SDL matters to have a list of available owasp
>> and other resources at hand to give them.  Agreed also that the SDL
>> focuses on Microsoft platforms - however it is to be expected that we
>> may determine none, some or even all of the steps may need to be
>> reorganized or revised to fit more general needs.
>>
>> 2 - It sounds like these would be all be fantastic.  To start with, I
>> think we should focus on OWASP SDL for Web Development, since the
>> primary focus of OWASP (but obviously not the exclusive focus) is web
>> development.  I think then quickly following after the SDL for web would
>> be SDL for mobile&   SDL for cloud.
>>
>> Thoughts anyone?
>>
>> Thank you Jeremy,
>> Jerry
>>
>> On 3/8/11 10:37 AM, Jeremy Dallman wrote:
>>> A couple of quick thoughts here... I'll sit down and think about this
> more
>> in the coming days.
>>> 1. Scope: It would be great if we could focus on a platform to avoid
>> re-hashing resources that are already available in our first round. I
> think
>> this would provide a level of value to OWASP customers that they cannot
> find
>> elsewhere. The Microsoft SDL obviously focuses on Microsoft platforms.
>> Showing that the Simplified SDL model applies to platforms outside of
>> Microsoft would be a great message.
>>> 2. As for naming: I'm fine with OWASP SDL Project, but it may garner more
>> attention if we accentuate the platform we are focusing on (assuming
>> #1)...e.g. "SDL for OpenBSD" or "SDL for Cloud" or "SDL for Mobile".
>>> Jeremy Dallman
>>> Senior Security Program Manager
>>> Security Development Lifecycle
>>> Microsoft Security Engineering Center
>>> p: 425.705.6787
>>> c: 425.761.2011
>>>
>>> -----Original Message-----
>>> From: owasp_sdl-bounces at lists.owasp.org
>> [mailto:owasp_sdl-bounces at lists.owasp.org] On Behalf Of Anurag Agarwal
>>> Sent: Monday, March 07, 2011 6:34 PM
>>> To: 'Jerry Hoff'; owasp_sdl at lists.owasp.org
>>> Subject: Re: [Owasp_sdl] SDL
>>>
>>> I think it's a good start. Just one thing though. There are so many
>> resources related to SDL outside of OWASP, which should be mentioned too.
>>> Thanks,
>>>
>>> Anurag Agarwal
>>> MyAppSecurity Inc
>>> Cell - 919-244-0803
>>> Email - anurag at myappsecurity.com
>>> Website - http://www.myappsecurity.com
>>> Blog - http://myappsecurity.blogspot.com LinkedIn -
>> http://www.linkedin.com/in/myappsecurity
>>> -----Original Message-----
>>> From: owasp_sdl-bounces at lists.owasp.org
>>> [mailto:owasp_sdl-bounces at lists.owasp.org] On Behalf Of Jerry Hoff
>>> Sent: Tuesday, March 08, 2011 4:19 AM
>>> To: owasp_sdl at lists.owasp.org
>>> Subject: [Owasp_sdl] SDL
>>>
>>> Hello OWASP SDL members!
>>>
>>> Time to get this list talking.  Sorry, I have been in flux over the last
>> few weeks - basically moving from Asia to North America.  But at last I am
>> on terra firma.
>>> To get started, we should decide a few things:
>>>
>>> 1) Name of the project.  Is "the OWASP SDL project" acceptable, or does
>> anyone have any other suggestions?
>>> 2) Scope of the project.  My basic roadmap is the following:
>>>
>>>       - Version 1: Go through the existing Simplified Implementation of
> the
>> SDL and map it to existing OWASP resources
>>>       - Release Version 1, and collect feedback from the community
>>>
>>>       - Version 2: Based on information collected, add/remove/alter SDL
>> Phases and/or practices
>>>       - Release Version 2, and collect feedback from the community ....
>>> (repeat indefinitely)
>>>
>>> This is just to get the conversation started - suggestions?
>>>
>>> Thanks team,
>>>
>>> Jerry
>>> _______________________________________________
>>> Owasp_sdl mailing list
>>> Owasp_sdl at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp_sdl
>>>
>>> _______________________________________________
>>> Owasp_sdl mailing list
>>> Owasp_sdl at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp_sdl
>>>



More information about the Owasp_sdl mailing list