[Owasp_sdl] SDL

Edward Bonver edward at owasp.org
Wed Mar 9 12:19:30 EST 2011


Jerry, thanks for kicking this project off the ground!

Maybe we should all have a quick conf call to sync up, and finalize the
intended audience/direction/next steps, before we start any kind of
activities, such as mapping current projects?

Regards,

--Edward--

On Wed, Mar 9, 2011 at 9:08 AM, Jerry Hoff <jerry at owasp.org> wrote:

> Hi Anurag,
>
> Cool - I'm really, really big into collecting data/observation as a
> first step towards everything in life.  We can and should reach out to
> both small/mid/large cap companies and get information from their sec
> folk.  The collection of data is always good.
>
> However, this isn't to say that the findings should override the
> existing SDL we have at hand, developed at Microsoft.  The very nature
> of cutting-edge research is that everyone *isn't* doing it.
>
> Is anyone in the "anti-data collection" camp?  If so, feel free to make
> your case.  People in the "pro-data collection" camp, please throw out
> examples of questions we can put into a questionnaire and then send out
> to sec folk.
>
> In the meantime, it would be good to start at least generally mapping
> existing, mature OWASP projects into the existing phases of the current
> simplified SDL.  I'll make a google doc for that end and send out the link.
>
> Jerry
>
>
>
> On 3/9/11 10:55 AM, Anurag Agarwal wrote:
> > Jerry - you would be surprised how many large enterprises are looking for
> > something like this. Though I agree with you that they may have resources
> > but most of those people don't come from development background and pick
> and
> > choose what they understand or can implement. OWASP SDL might give them a
> > proper structure around it. For e.g. Keith Turpin may not need it but
> Nishi
> > might find it useful.
> >
> > By no means am I suggesting we should get them on board but I think it
> > wouldn't hurt if they do join us. We can send them an invite and its upto
> > them to join.
> >
> > Just my .02 cents.
> >
> > Thanks,
> >
> > Anurag Agarwal
> > MyAppSecurity Inc
> > Cell - 919-244-0803
> > Email - anurag at myappsecurity.com
> > Website - http://www.myappsecurity.com
> > Blog - http://myappsecurity.blogspot.com
> > LinkedIn - http://www.linkedin.com/in/myappsecurity
> >
> > -----Original Message-----
> > From: Jerry Hoff [mailto:jerry at owasp.org]
> > Sent: Wednesday, March 09, 2011 11:48 AM
> > To: Anurag Agarwal
>  > Cc: 'Jeremy Dallman'; owasp_sdl at lists.owasp.org
> > Subject: Re: [Owasp_sdl] SDL
> >
> > Hi Anurag,
> >
> > Well, that brings up a good point.  BSIMM apparently did just that, so
> > that research is more or less out there already.  My gut feeling is that
> > the most likely candidates to use the OWASP SDL are small-to-mid sized
> > companies.  Large companies will have dedicated resources / consultants
> > to put together a custom SDL for them.
> >
> > So if we were going to seek more input, I think it should be security
> > folk from small / mid-cap companies who have put together a successful
> > security program with more limited resources.
> >
> > Rowdy dissension welcome...
> >
> > Jerry
> >
> >
> >
> >
> > On 3/9/11 8:22 AM, Anurag Agarwal wrote:
> >> Hey guys - Do you think we should get security folks from couple of
> large
> >> enterprises to be a part of this group and share their experiences on
> what
> >> works and what doesn't for them.
> >>
> >> Thoughts?
> >>
> >>
> >> Thanks,
> >>
> >> Anurag Agarwal
> >> MyAppSecurity Inc
> >> Cell - 919-244-0803
> >> Email - anurag at myappsecurity.com
> >> Website - http://www.myappsecurity.com
> >> Blog - http://myappsecurity.blogspot.com
> >> LinkedIn - http://www.linkedin.com/in/myappsecurity
> >>
> >> -----Original Message-----
> >> From: Jerry Hoff [mailto:jerry at owasp.org]
> >> Sent: Tuesday, March 08, 2011 12:17 PM
> >> To: Jeremy Dallman
> >> Cc: Anurag Agarwal; owasp_sdl at lists.owasp.org
> >> Subject: Re: [Owasp_sdl] SDL
> >>
> >> Hi Jeremy,
> >>
> >> Great points.  Here are my thoughts:
> >>
> >> 1 - Agreed on avoid re-hashing, but personally I have found it useful
> >> when advising clients on SDL matters to have a list of available owasp
> >> and other resources at hand to give them.  Agreed also that the SDL
> >> focuses on Microsoft platforms - however it is to be expected that we
> >> may determine none, some or even all of the steps may need to be
> >> reorganized or revised to fit more general needs.
> >>
> >> 2 - It sounds like these would be all be fantastic.  To start with, I
> >> think we should focus on OWASP SDL for Web Development, since the
> >> primary focus of OWASP (but obviously not the exclusive focus) is web
> >> development.  I think then quickly following after the SDL for web would
> >> be SDL for mobile&   SDL for cloud.
> >>
> >> Thoughts anyone?
> >>
> >> Thank you Jeremy,
> >> Jerry
> >>
> >> On 3/8/11 10:37 AM, Jeremy Dallman wrote:
> >>> A couple of quick thoughts here... I'll sit down and think about this
> > more
> >> in the coming days.
> >>> 1. Scope: It would be great if we could focus on a platform to avoid
> >> re-hashing resources that are already available in our first round. I
> > think
> >> this would provide a level of value to OWASP customers that they cannot
> > find
> >> elsewhere. The Microsoft SDL obviously focuses on Microsoft platforms.
> >> Showing that the Simplified SDL model applies to platforms outside of
> >> Microsoft would be a great message.
> >>> 2. As for naming: I'm fine with OWASP SDL Project, but it may garner
> more
> >> attention if we accentuate the platform we are focusing on (assuming
> >> #1)...e.g. "SDL for OpenBSD" or "SDL for Cloud" or "SDL for Mobile".
> >>> Jeremy Dallman
> >>> Senior Security Program Manager
> >>> Security Development Lifecycle
> >>> Microsoft Security Engineering Center
> >>> p: 425.705.6787
> >>> c: 425.761.2011
> >>>
> >>> -----Original Message-----
> >>> From: owasp_sdl-bounces at lists.owasp.org
> >> [mailto:owasp_sdl-bounces at lists.owasp.org] On Behalf Of Anurag Agarwal
> >>> Sent: Monday, March 07, 2011 6:34 PM
> >>> To: 'Jerry Hoff'; owasp_sdl at lists.owasp.org
> >>> Subject: Re: [Owasp_sdl] SDL
> >>>
> >>> I think it's a good start. Just one thing though. There are so many
> >> resources related to SDL outside of OWASP, which should be mentioned
> too.
> >>> Thanks,
> >>>
> >>> Anurag Agarwal
> >>> MyAppSecurity Inc
> >>> Cell - 919-244-0803
> >>> Email - anurag at myappsecurity.com
> >>> Website - http://www.myappsecurity.com
> >>> Blog - http://myappsecurity.blogspot.com LinkedIn -
> >> http://www.linkedin.com/in/myappsecurity
> >>> -----Original Message-----
> >>> From: owasp_sdl-bounces at lists.owasp.org
> >>> [mailto:owasp_sdl-bounces at lists.owasp.org] On Behalf Of Jerry Hoff
> >>> Sent: Tuesday, March 08, 2011 4:19 AM
> >>> To: owasp_sdl at lists.owasp.org
> >>> Subject: [Owasp_sdl] SDL
> >>>
> >>> Hello OWASP SDL members!
> >>>
> >>> Time to get this list talking.  Sorry, I have been in flux over the
> last
> >> few weeks - basically moving from Asia to North America.  But at last I
> am
> >> on terra firma.
> >>> To get started, we should decide a few things:
> >>>
> >>> 1) Name of the project.  Is "the OWASP SDL project" acceptable, or does
> >> anyone have any other suggestions?
> >>> 2) Scope of the project.  My basic roadmap is the following:
> >>>
> >>>       - Version 1: Go through the existing Simplified Implementation of
> > the
> >> SDL and map it to existing OWASP resources
> >>>       - Release Version 1, and collect feedback from the community
> >>>
> >>>       - Version 2: Based on information collected, add/remove/alter SDL
> >> Phases and/or practices
> >>>       - Release Version 2, and collect feedback from the community ....
> >>> (repeat indefinitely)
> >>>
> >>> This is just to get the conversation started - suggestions?
> >>>
> >>> Thanks team,
> >>>
> >>> Jerry
> >>> _______________________________________________
> >>> Owasp_sdl mailing list
> >>> Owasp_sdl at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/owasp_sdl
> >>>
> >>> _______________________________________________
> >>> Owasp_sdl mailing list
> >>> Owasp_sdl at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/owasp_sdl
> >>>
>
> _______________________________________________
> Owasp_sdl mailing list
> Owasp_sdl at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_sdl
>



-- 

----------------------------------------------------------------
Edward Bonver
edward at owasp.org
(818) 620-5778
Linkedin: http://www.linkedin.com/in/bonver
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp_sdl/attachments/20110309/cd43afba/attachment-0001.html 


More information about the Owasp_sdl mailing list