[Owasp_sdl] SDL

Edward Bonver edward at owasp.org
Wed Mar 9 13:08:27 EST 2011


That works for me.

Regards,

--Edward--
On Wed, Mar 9, 2011 at 9:46 AM, Jerry Hoff <jerry at owasp.org> wrote:

> Good idea Edward.
>
> How does Friday sound to everyone?  What time zones are we all in?  I think
> now that I am back in the US, we are all on the same continent (with the
> exception of Dinis).  Would 10am PST Friday, March 11 work for everyone?
>
> Jerry
>
>
> On 3/9/11 11:19 AM, Edward Bonver wrote:
>
> Jerry, thanks for kicking this project off the ground!
>
> Maybe we should all have a quick conf call to sync up, and finalize the
> intended audience/direction/next steps, before we start any kind of
> activities, such as mapping current projects?
>
> Regards,
>
> --Edward--
>
> On Wed, Mar 9, 2011 at 9:08 AM, Jerry Hoff <jerry at owasp.org> wrote:
>
>> Hi Anurag,
>>
>> Cool - I'm really, really big into collecting data/observation as a
>> first step towards everything in life.  We can and should reach out to
>> both small/mid/large cap companies and get information from their sec
>> folk.  The collection of data is always good.
>>
>> However, this isn't to say that the findings should override the
>> existing SDL we have at hand, developed at Microsoft.  The very nature
>> of cutting-edge research is that everyone *isn't* doing it.
>>
>> Is anyone in the "anti-data collection" camp?  If so, feel free to make
>> your case.  People in the "pro-data collection" camp, please throw out
>> examples of questions we can put into a questionnaire and then send out
>> to sec folk.
>>
>> In the meantime, it would be good to start at least generally mapping
>> existing, mature OWASP projects into the existing phases of the current
>> simplified SDL.  I'll make a google doc for that end and send out the
>> link.
>>
>> Jerry
>>
>>
>>
>> On 3/9/11 10:55 AM, Anurag Agarwal wrote:
>> > Jerry - you would be surprised how many large enterprises are looking
>> for
>> > something like this. Though I agree with you that they may have
>> resources
>> > but most of those people don't come from development background and pick
>> and
>> > choose what they understand or can implement. OWASP SDL might give them
>> a
>> > proper structure around it. For e.g. Keith Turpin may not need it but
>> Nishi
>> > might find it useful.
>> >
>> > By no means am I suggesting we should get them on board but I think it
>> > wouldn't hurt if they do join us. We can send them an invite and its
>> upto
>> > them to join.
>> >
>> > Just my .02 cents.
>> >
>> > Thanks,
>> >
>> > Anurag Agarwal
>> > MyAppSecurity Inc
>> > Cell - 919-244-0803
>> > Email - anurag at myappsecurity.com
>> > Website - http://www.myappsecurity.com
>> > Blog - http://myappsecurity.blogspot.com
>> > LinkedIn - http://www.linkedin.com/in/myappsecurity
>> >
>> > -----Original Message-----
>> > From: Jerry Hoff [mailto:jerry at owasp.org]
>> > Sent: Wednesday, March 09, 2011 11:48 AM
>> > To: Anurag Agarwal
>>  > Cc: 'Jeremy Dallman'; owasp_sdl at lists.owasp.org
>> > Subject: Re: [Owasp_sdl] SDL
>> >
>> > Hi Anurag,
>> >
>> > Well, that brings up a good point.  BSIMM apparently did just that, so
>> > that research is more or less out there already.  My gut feeling is that
>> > the most likely candidates to use the OWASP SDL are small-to-mid sized
>> > companies.  Large companies will have dedicated resources / consultants
>> > to put together a custom SDL for them.
>> >
>> > So if we were going to seek more input, I think it should be security
>> > folk from small / mid-cap companies who have put together a successful
>> > security program with more limited resources.
>> >
>> > Rowdy dissension welcome...
>> >
>> > Jerry
>> >
>> >
>> >
>> >
>> > On 3/9/11 8:22 AM, Anurag Agarwal wrote:
>> >> Hey guys - Do you think we should get security folks from couple of
>> large
>> >> enterprises to be a part of this group and share their experiences on
>> what
>> >> works and what doesn't for them.
>> >>
>> >> Thoughts?
>> >>
>> >>
>> >> Thanks,
>> >>
>> >> Anurag Agarwal
>> >> MyAppSecurity Inc
>> >> Cell - 919-244-0803
>> >> Email - anurag at myappsecurity.com
>> >> Website - http://www.myappsecurity.com
>> >> Blog - http://myappsecurity.blogspot.com
>> >> LinkedIn - http://www.linkedin.com/in/myappsecurity
>> >>
>> >> -----Original Message-----
>> >> From: Jerry Hoff [mailto:jerry at owasp.org]
>> >> Sent: Tuesday, March 08, 2011 12:17 PM
>> >> To: Jeremy Dallman
>> >> Cc: Anurag Agarwal; owasp_sdl at lists.owasp.org
>> >> Subject: Re: [Owasp_sdl] SDL
>> >>
>> >> Hi Jeremy,
>> >>
>> >> Great points.  Here are my thoughts:
>> >>
>> >> 1 - Agreed on avoid re-hashing, but personally I have found it useful
>> >> when advising clients on SDL matters to have a list of available owasp
>> >> and other resources at hand to give them.  Agreed also that the SDL
>> >> focuses on Microsoft platforms - however it is to be expected that we
>> >> may determine none, some or even all of the steps may need to be
>> >> reorganized or revised to fit more general needs.
>> >>
>> >> 2 - It sounds like these would be all be fantastic.  To start with, I
>> >> think we should focus on OWASP SDL for Web Development, since the
>> >> primary focus of OWASP (but obviously not the exclusive focus) is web
>> >> development.  I think then quickly following after the SDL for web
>> would
>> >> be SDL for mobile&   SDL for cloud.
>> >>
>> >> Thoughts anyone?
>> >>
>> >> Thank you Jeremy,
>> >> Jerry
>> >>
>> >> On 3/8/11 10:37 AM, Jeremy Dallman wrote:
>> >>> A couple of quick thoughts here... I'll sit down and think about this
>> > more
>> >> in the coming days.
>> >>> 1. Scope: It would be great if we could focus on a platform to avoid
>> >> re-hashing resources that are already available in our first round. I
>> > think
>> >> this would provide a level of value to OWASP customers that they cannot
>> > find
>> >> elsewhere. The Microsoft SDL obviously focuses on Microsoft platforms.
>> >> Showing that the Simplified SDL model applies to platforms outside of
>> >> Microsoft would be a great message.
>> >>> 2. As for naming: I'm fine with OWASP SDL Project, but it may garner
>> more
>> >> attention if we accentuate the platform we are focusing on (assuming
>> >> #1)...e.g. "SDL for OpenBSD" or "SDL for Cloud" or "SDL for Mobile".
>> >>> Jeremy Dallman
>> >>> Senior Security Program Manager
>> >>> Security Development Lifecycle
>> >>> Microsoft Security Engineering Center
>> >>> p: 425.705.6787
>> >>> c: 425.761.2011
>> >>>
>> >>> -----Original Message-----
>> >>> From: owasp_sdl-bounces at lists.owasp.org
>> >> [mailto:owasp_sdl-bounces at lists.owasp.org] On Behalf Of Anurag Agarwal
>> >>> Sent: Monday, March 07, 2011 6:34 PM
>> >>> To: 'Jerry Hoff'; owasp_sdl at lists.owasp.org
>> >>> Subject: Re: [Owasp_sdl] SDL
>> >>>
>> >>> I think it's a good start. Just one thing though. There are so many
>> >> resources related to SDL outside of OWASP, which should be mentioned
>> too.
>> >>> Thanks,
>> >>>
>> >>> Anurag Agarwal
>> >>> MyAppSecurity Inc
>> >>> Cell - 919-244-0803
>> >>> Email - anurag at myappsecurity.com
>> >>> Website - http://www.myappsecurity.com
>> >>> Blog - http://myappsecurity.blogspot.com LinkedIn -
>> >> http://www.linkedin.com/in/myappsecurity
>> >>> -----Original Message-----
>> >>> From: owasp_sdl-bounces at lists.owasp.org
>> >>> [mailto:owasp_sdl-bounces at lists.owasp.org] On Behalf Of Jerry Hoff
>> >>> Sent: Tuesday, March 08, 2011 4:19 AM
>> >>> To: owasp_sdl at lists.owasp.org
>> >>> Subject: [Owasp_sdl] SDL
>> >>>
>> >>> Hello OWASP SDL members!
>> >>>
>> >>> Time to get this list talking.  Sorry, I have been in flux over the
>> last
>> >> few weeks - basically moving from Asia to North America.  But at last I
>> am
>> >> on terra firma.
>> >>> To get started, we should decide a few things:
>> >>>
>> >>> 1) Name of the project.  Is "the OWASP SDL project" acceptable, or
>> does
>> >> anyone have any other suggestions?
>> >>> 2) Scope of the project.  My basic roadmap is the following:
>> >>>
>> >>>       - Version 1: Go through the existing Simplified Implementation
>> of
>> > the
>> >> SDL and map it to existing OWASP resources
>> >>>       - Release Version 1, and collect feedback from the community
>> >>>
>> >>>       - Version 2: Based on information collected, add/remove/alter
>> SDL
>> >> Phases and/or practices
>> >>>       - Release Version 2, and collect feedback from the community
>> ....
>> >>> (repeat indefinitely)
>> >>>
>> >>> This is just to get the conversation started - suggestions?
>> >>>
>> >>> Thanks team,
>> >>>
>> >>> Jerry
>> >>> _______________________________________________
>> >>> Owasp_sdl mailing list
>> >>> Owasp_sdl at lists.owasp.org
>> >>> https://lists.owasp.org/mailman/listinfo/owasp_sdl
>> >>>
>> >>> _______________________________________________
>> >>> Owasp_sdl mailing list
>> >>> Owasp_sdl at lists.owasp.org
>> >>> https://lists.owasp.org/mailman/listinfo/owasp_sdl
>> >>>
>>
>> _______________________________________________
>> Owasp_sdl mailing list
>> Owasp_sdl at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp_sdl
>>
>
>
>
> --
>
> ----------------------------------------------------------------
> Edward Bonver
> edward at owasp.org
> (818) 620-5778
> Linkedin: http://www.linkedin.com/in/bonver
>
>
>
>


-- 

----------------------------------------------------------------
Edward Bonver
edward at owasp.org
(818) 620-5778
Linkedin: http://www.linkedin.com/in/bonver
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp_sdl/attachments/20110309/2fc4203c/attachment.html 


More information about the Owasp_sdl mailing list