[Owasp_sdl] SDL

Jerry Hoff jerry at owasp.org
Wed Mar 9 12:46:36 EST 2011


Good idea Edward.

How does Friday sound to everyone?  What time zones are we all in?  I 
think now that I am back in the US, we are all on the same continent 
(with the exception of Dinis).  Would 10am PST Friday, March 11 work for 
everyone?

Jerry

On 3/9/11 11:19 AM, Edward Bonver wrote:
> Jerry, thanks for kicking this project off the ground!
> Maybe we should all have a quick conf call to sync up, and finalize 
> the intended audience/direction/next steps, before we start any kind 
> of activities, such as mapping current projects?
> Regards,
> --Edward--
>
> On Wed, Mar 9, 2011 at 9:08 AM, Jerry Hoff <jerry at owasp.org 
> <mailto:jerry at owasp.org>> wrote:
>
>     Hi Anurag,
>
>     Cool - I'm really, really big into collecting data/observation as a
>     first step towards everything in life.  We can and should reach out to
>     both small/mid/large cap companies and get information from their sec
>     folk.  The collection of data is always good.
>
>     However, this isn't to say that the findings should override the
>     existing SDL we have at hand, developed at Microsoft.  The very nature
>     of cutting-edge research is that everyone *isn't* doing it.
>
>     Is anyone in the "anti-data collection" camp?  If so, feel free to
>     make
>     your case.  People in the "pro-data collection" camp, please throw out
>     examples of questions we can put into a questionnaire and then
>     send out
>     to sec folk.
>
>     In the meantime, it would be good to start at least generally mapping
>     existing, mature OWASP projects into the existing phases of the
>     current
>     simplified SDL.  I'll make a google doc for that end and send out
>     the link.
>
>     Jerry
>
>
>
>     On 3/9/11 10:55 AM, Anurag Agarwal wrote:
>     > Jerry - you would be surprised how many large enterprises are
>     looking for
>     > something like this. Though I agree with you that they may have
>     resources
>     > but most of those people don't come from development background
>     and pick and
>     > choose what they understand or can implement. OWASP SDL might
>     give them a
>     > proper structure around it. For e.g. Keith Turpin may not need
>     it but Nishi
>     > might find it useful.
>     >
>     > By no means am I suggesting we should get them on board but I
>     think it
>     > wouldn't hurt if they do join us. We can send them an invite and
>     its upto
>     > them to join.
>     >
>     > Just my .02 cents.
>     >
>     > Thanks,
>     >
>     > Anurag Agarwal
>     > MyAppSecurity Inc
>     > Cell - 919-244-0803
>     > Email - anurag at myappsecurity.com <mailto:anurag at myappsecurity.com>
>     > Website - http://www.myappsecurity.com
>     <http://www.myappsecurity.com/>
>     > Blog - http://myappsecurity.blogspot.com
>     <http://myappsecurity.blogspot.com/>
>     > LinkedIn - http://www.linkedin.com/in/myappsecurity
>     >
>     > -----Original Message-----
>     > From: Jerry Hoff [mailto:jerry at owasp.org <mailto:jerry at owasp.org>]
>     > Sent: Wednesday, March 09, 2011 11:48 AM
>     > To: Anurag Agarwal
>     > Cc: 'Jeremy Dallman'; owasp_sdl at lists.owasp.org
>     <mailto:owasp_sdl at lists.owasp.org>
>     > Subject: Re: [Owasp_sdl] SDL
>     >
>     > Hi Anurag,
>     >
>     > Well, that brings up a good point.  BSIMM apparently did just
>     that, so
>     > that research is more or less out there already.  My gut feeling
>     is that
>     > the most likely candidates to use the OWASP SDL are small-to-mid
>     sized
>     > companies.  Large companies will have dedicated resources /
>     consultants
>     > to put together a custom SDL for them.
>     >
>     > So if we were going to seek more input, I think it should be
>     security
>     > folk from small / mid-cap companies who have put together a
>     successful
>     > security program with more limited resources.
>     >
>     > Rowdy dissension welcome...
>     >
>     > Jerry
>     >
>     >
>     >
>     >
>     > On 3/9/11 8:22 AM, Anurag Agarwal wrote:
>     >> Hey guys - Do you think we should get security folks from
>     couple of large
>     >> enterprises to be a part of this group and share their
>     experiences on what
>     >> works and what doesn't for them.
>     >>
>     >> Thoughts?
>     >>
>     >>
>     >> Thanks,
>     >>
>     >> Anurag Agarwal
>     >> MyAppSecurity Inc
>     >> Cell - 919-244-0803
>     >> Email - anurag at myappsecurity.com <mailto:anurag at myappsecurity.com>
>     >> Website - http://www.myappsecurity.com
>     <http://www.myappsecurity.com/>
>     >> Blog - http://myappsecurity.blogspot.com
>     <http://myappsecurity.blogspot.com/>
>     >> LinkedIn - http://www.linkedin.com/in/myappsecurity
>     >>
>     >> -----Original Message-----
>     >> From: Jerry Hoff [mailto:jerry at owasp.org <mailto:jerry at owasp.org>]
>     >> Sent: Tuesday, March 08, 2011 12:17 PM
>     >> To: Jeremy Dallman
>     >> Cc: Anurag Agarwal; owasp_sdl at lists.owasp.org
>     <mailto:owasp_sdl at lists.owasp.org>
>     >> Subject: Re: [Owasp_sdl] SDL
>     >>
>     >> Hi Jeremy,
>     >>
>     >> Great points.  Here are my thoughts:
>     >>
>     >> 1 - Agreed on avoid re-hashing, but personally I have found it
>     useful
>     >> when advising clients on SDL matters to have a list of
>     available owasp
>     >> and other resources at hand to give them.  Agreed also that the SDL
>     >> focuses on Microsoft platforms - however it is to be expected
>     that we
>     >> may determine none, some or even all of the steps may need to be
>     >> reorganized or revised to fit more general needs.
>     >>
>     >> 2 - It sounds like these would be all be fantastic.  To start
>     with, I
>     >> think we should focus on OWASP SDL for Web Development, since the
>     >> primary focus of OWASP (but obviously not the exclusive focus)
>     is web
>     >> development.  I think then quickly following after the SDL for
>     web would
>     >> be SDL for mobile&   SDL for cloud.
>     >>
>     >> Thoughts anyone?
>     >>
>     >> Thank you Jeremy,
>     >> Jerry
>     >>
>     >> On 3/8/11 10:37 AM, Jeremy Dallman wrote:
>     >>> A couple of quick thoughts here... I'll sit down and think
>     about this
>     > more
>     >> in the coming days.
>     >>> 1. Scope: It would be great if we could focus on a platform to
>     avoid
>     >> re-hashing resources that are already available in our first
>     round. I
>     > think
>     >> this would provide a level of value to OWASP customers that
>     they cannot
>     > find
>     >> elsewhere. The Microsoft SDL obviously focuses on Microsoft
>     platforms.
>     >> Showing that the Simplified SDL model applies to platforms
>     outside of
>     >> Microsoft would be a great message.
>     >>> 2. As for naming: I'm fine with OWASP SDL Project, but it may
>     garner more
>     >> attention if we accentuate the platform we are focusing on
>     (assuming
>     >> #1)...e.g. "SDL for OpenBSD" or "SDL for Cloud" or "SDL for
>     Mobile".
>     >>> Jeremy Dallman
>     >>> Senior Security Program Manager
>     >>> Security Development Lifecycle
>     >>> Microsoft Security Engineering Center
>     >>> p: 425.705.6787
>     >>> c: 425.761.2011
>     >>>
>     >>> -----Original Message-----
>     >>> From: owasp_sdl-bounces at lists.owasp.org
>     <mailto:owasp_sdl-bounces at lists.owasp.org>
>     >> [mailto:owasp_sdl-bounces at lists.owasp.org
>     <mailto:owasp_sdl-bounces at lists.owasp.org>] On Behalf Of Anurag
>     Agarwal
>     >>> Sent: Monday, March 07, 2011 6:34 PM
>     >>> To: 'Jerry Hoff'; owasp_sdl at lists.owasp.org
>     <mailto:owasp_sdl at lists.owasp.org>
>     >>> Subject: Re: [Owasp_sdl] SDL
>     >>>
>     >>> I think it's a good start. Just one thing though. There are so
>     many
>     >> resources related to SDL outside of OWASP, which should be
>     mentioned too.
>     >>> Thanks,
>     >>>
>     >>> Anurag Agarwal
>     >>> MyAppSecurity Inc
>     >>> Cell - 919-244-0803
>     >>> Email - anurag at myappsecurity.com <mailto:anurag at myappsecurity.com>
>     >>> Website - http://www.myappsecurity.com
>     <http://www.myappsecurity.com/>
>     >>> Blog - http://myappsecurity.blogspot.com
>     <http://myappsecurity.blogspot.com/> LinkedIn -
>     >> http://www.linkedin.com/in/myappsecurity
>     >>> -----Original Message-----
>     >>> From: owasp_sdl-bounces at lists.owasp.org
>     <mailto:owasp_sdl-bounces at lists.owasp.org>
>     >>> [mailto:owasp_sdl-bounces at lists.owasp.org
>     <mailto:owasp_sdl-bounces at lists.owasp.org>] On Behalf Of Jerry Hoff
>     >>> Sent: Tuesday, March 08, 2011 4:19 AM
>     >>> To: owasp_sdl at lists.owasp.org <mailto:owasp_sdl at lists.owasp.org>
>     >>> Subject: [Owasp_sdl] SDL
>     >>>
>     >>> Hello OWASP SDL members!
>     >>>
>     >>> Time to get this list talking.  Sorry, I have been in flux
>     over the last
>     >> few weeks - basically moving from Asia to North America.  But
>     at last I am
>     >> on terra firma.
>     >>> To get started, we should decide a few things:
>     >>>
>     >>> 1) Name of the project.  Is "the OWASP SDL project"
>     acceptable, or does
>     >> anyone have any other suggestions?
>     >>> 2) Scope of the project.  My basic roadmap is the following:
>     >>>
>     >>>       - Version 1: Go through the existing Simplified
>     Implementation of
>     > the
>     >> SDL and map it to existing OWASP resources
>     >>>       - Release Version 1, and collect feedback from the community
>     >>>
>     >>>       - Version 2: Based on information collected,
>     add/remove/alter SDL
>     >> Phases and/or practices
>     >>>       - Release Version 2, and collect feedback from the
>     community ....
>     >>> (repeat indefinitely)
>     >>>
>     >>> This is just to get the conversation started - suggestions?
>     >>>
>     >>> Thanks team,
>     >>>
>     >>> Jerry
>     >>> _______________________________________________
>     >>> Owasp_sdl mailing list
>     >>> Owasp_sdl at lists.owasp.org <mailto:Owasp_sdl at lists.owasp.org>
>     >>> https://lists.owasp.org/mailman/listinfo/owasp_sdl
>     >>>
>     >>> _______________________________________________
>     >>> Owasp_sdl mailing list
>     >>> Owasp_sdl at lists.owasp.org <mailto:Owasp_sdl at lists.owasp.org>
>     >>> https://lists.owasp.org/mailman/listinfo/owasp_sdl
>     >>>
>
>     _______________________________________________
>     Owasp_sdl mailing list
>     Owasp_sdl at lists.owasp.org <mailto:Owasp_sdl at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp_sdl
>
>
>
>
> -- 
> ----------------------------------------------------------------
> Edward Bonver
> edward at owasp.org <mailto:edward at owasp.org>
> (818) 620-5778
> Linkedin: http://www.linkedin.com/in/bonver
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp_sdl/attachments/20110309/fa08f0c3/attachment-0001.html 


More information about the Owasp_sdl mailing list