[Owasp_sdl] SDL

Anurag Agarwal anurag.agarwal at yahoo.com
Wed Mar 9 13:28:46 EST 2011


Works for me too

 

Thanks,

 

Anurag Agarwal

MyAppSecurity Inc

Cell - 919-244-0803

Email - anurag at myappsecurity.com

Website - http://www.myappsecurity.com

Blog - http://myappsecurity.blogspot.com

LinkedIn - http://www.linkedin.com/in/myappsecurity 

 

From: Edward Bonver [mailto:edward at owasp.org] 
Sent: Wednesday, March 09, 2011 1:08 PM
To: Jerry Hoff
Cc: Anurag Agarwal; Jeremy Dallman; owasp_sdl at lists.owasp.org
Subject: Re: [Owasp_sdl] SDL

 

That works for me.

 

Regards,

 

--Edward--

On Wed, Mar 9, 2011 at 9:46 AM, Jerry Hoff <jerry at owasp.org> wrote:

Good idea Edward.  

How does Friday sound to everyone?  What time zones are we all in?  I think
now that I am back in the US, we are all on the same continent (with the
exception of Dinis).  Would 10am PST Friday, March 11 work for everyone?  

Jerry 



On 3/9/11 11:19 AM, Edward Bonver wrote: 

Jerry, thanks for kicking this project off the ground!

 

Maybe we should all have a quick conf call to sync up, and finalize the
intended audience/direction/next steps, before we start any kind of
activities, such as mapping current projects?

 

Regards,

 

--Edward--

On Wed, Mar 9, 2011 at 9:08 AM, Jerry Hoff <jerry at owasp.org> wrote:

Hi Anurag,

Cool - I'm really, really big into collecting data/observation as a
first step towards everything in life.  We can and should reach out to
both small/mid/large cap companies and get information from their sec
folk.  The collection of data is always good.

However, this isn't to say that the findings should override the
existing SDL we have at hand, developed at Microsoft.  The very nature
of cutting-edge research is that everyone *isn't* doing it.

Is anyone in the "anti-data collection" camp?  If so, feel free to make
your case.  People in the "pro-data collection" camp, please throw out
examples of questions we can put into a questionnaire and then send out
to sec folk.

In the meantime, it would be good to start at least generally mapping
existing, mature OWASP projects into the existing phases of the current
simplified SDL.  I'll make a google doc for that end and send out the link.

Jerry




On 3/9/11 10:55 AM, Anurag Agarwal wrote:
> Jerry - you would be surprised how many large enterprises are looking for
> something like this. Though I agree with you that they may have resources
> but most of those people don't come from development background and pick
and
> choose what they understand or can implement. OWASP SDL might give them a
> proper structure around it. For e.g. Keith Turpin may not need it but
Nishi
> might find it useful.
>
> By no means am I suggesting we should get them on board but I think it
> wouldn't hurt if they do join us. We can send them an invite and its upto
> them to join.
>
> Just my .02 cents.
>

> Thanks,
>
> Anurag Agarwal
> MyAppSecurity Inc
> Cell - 919-244-0803
> Email - anurag at myappsecurity.com
> Website - http://www.myappsecurity.com <http://www.myappsecurity.com/> 
> Blog - http://myappsecurity.blogspot.com
<http://myappsecurity.blogspot.com/> 
> LinkedIn - http://www.linkedin.com/in/myappsecurity
>
> -----Original Message-----
> From: Jerry Hoff [mailto:jerry at owasp.org]

> Sent: Wednesday, March 09, 2011 11:48 AM
> To: Anurag Agarwal

> Cc: 'Jeremy Dallman'; owasp_sdl at lists.owasp.org
> Subject: Re: [Owasp_sdl] SDL
>
> Hi Anurag,
>
> Well, that brings up a good point.  BSIMM apparently did just that, so
> that research is more or less out there already.  My gut feeling is that
> the most likely candidates to use the OWASP SDL are small-to-mid sized
> companies.  Large companies will have dedicated resources / consultants
> to put together a custom SDL for them.
>
> So if we were going to seek more input, I think it should be security
> folk from small / mid-cap companies who have put together a successful
> security program with more limited resources.
>
> Rowdy dissension welcome...
>
> Jerry
>
>
>
>
> On 3/9/11 8:22 AM, Anurag Agarwal wrote:
>> Hey guys - Do you think we should get security folks from couple of large
>> enterprises to be a part of this group and share their experiences on
what
>> works and what doesn't for them.
>>
>> Thoughts?
>>
>>
>> Thanks,
>>
>> Anurag Agarwal
>> MyAppSecurity Inc
>> Cell - 919-244-0803
>> Email - anurag at myappsecurity.com
>> Website - http://www.myappsecurity.com <http://www.myappsecurity.com/> 
>> Blog - http://myappsecurity.blogspot.com
<http://myappsecurity.blogspot.com/> 
>> LinkedIn - http://www.linkedin.com/in/myappsecurity
>>
>> -----Original Message-----
>> From: Jerry Hoff [mailto:jerry at owasp.org]
>> Sent: Tuesday, March 08, 2011 12:17 PM
>> To: Jeremy Dallman
>> Cc: Anurag Agarwal; owasp_sdl at lists.owasp.org
>> Subject: Re: [Owasp_sdl] SDL
>>
>> Hi Jeremy,
>>
>> Great points.  Here are my thoughts:
>>
>> 1 - Agreed on avoid re-hashing, but personally I have found it useful
>> when advising clients on SDL matters to have a list of available owasp
>> and other resources at hand to give them.  Agreed also that the SDL
>> focuses on Microsoft platforms - however it is to be expected that we
>> may determine none, some or even all of the steps may need to be
>> reorganized or revised to fit more general needs.
>>
>> 2 - It sounds like these would be all be fantastic.  To start with, I
>> think we should focus on OWASP SDL for Web Development, since the
>> primary focus of OWASP (but obviously not the exclusive focus) is web
>> development.  I think then quickly following after the SDL for web would
>> be SDL for mobile&   SDL for cloud.
>>
>> Thoughts anyone?
>>
>> Thank you Jeremy,
>> Jerry
>>
>> On 3/8/11 10:37 AM, Jeremy Dallman wrote:
>>> A couple of quick thoughts here... I'll sit down and think about this
> more
>> in the coming days.
>>> 1. Scope: It would be great if we could focus on a platform to avoid
>> re-hashing resources that are already available in our first round. I
> think
>> this would provide a level of value to OWASP customers that they cannot
> find
>> elsewhere. The Microsoft SDL obviously focuses on Microsoft platforms.
>> Showing that the Simplified SDL model applies to platforms outside of
>> Microsoft would be a great message.
>>> 2. As for naming: I'm fine with OWASP SDL Project, but it may garner
more
>> attention if we accentuate the platform we are focusing on (assuming
>> #1)...e.g. "SDL for OpenBSD" or "SDL for Cloud" or "SDL for Mobile".
>>> Jeremy Dallman
>>> Senior Security Program Manager
>>> Security Development Lifecycle
>>> Microsoft Security Engineering Center
>>> p: 425.705.6787
>>> c: 425.761.2011
>>>
>>> -----Original Message-----
>>> From: owasp_sdl-bounces at lists.owasp.org
>> [mailto:owasp_sdl-bounces at lists.owasp.org] On Behalf Of Anurag Agarwal
>>> Sent: Monday, March 07, 2011 6:34 PM
>>> To: 'Jerry Hoff'; owasp_sdl at lists.owasp.org
>>> Subject: Re: [Owasp_sdl] SDL
>>>
>>> I think it's a good start. Just one thing though. There are so many
>> resources related to SDL outside of OWASP, which should be mentioned too.
>>> Thanks,
>>>
>>> Anurag Agarwal
>>> MyAppSecurity Inc
>>> Cell - 919-244-0803
>>> Email - anurag at myappsecurity.com
>>> Website - http://www.myappsecurity.com <http://www.myappsecurity.com/> 
>>> Blog - http://myappsecurity.blogspot.com
<http://myappsecurity.blogspot.com/>  LinkedIn -
>> http://www.linkedin.com/in/myappsecurity
>>> -----Original Message-----
>>> From: owasp_sdl-bounces at lists.owasp.org
>>> [mailto:owasp_sdl-bounces at lists.owasp.org] On Behalf Of Jerry Hoff
>>> Sent: Tuesday, March 08, 2011 4:19 AM
>>> To: owasp_sdl at lists.owasp.org
>>> Subject: [Owasp_sdl] SDL
>>>
>>> Hello OWASP SDL members!
>>>
>>> Time to get this list talking.  Sorry, I have been in flux over the last
>> few weeks - basically moving from Asia to North America.  But at last I
am
>> on terra firma.
>>> To get started, we should decide a few things:
>>>
>>> 1) Name of the project.  Is "the OWASP SDL project" acceptable, or does
>> anyone have any other suggestions?
>>> 2) Scope of the project.  My basic roadmap is the following:
>>>
>>>       - Version 1: Go through the existing Simplified Implementation of
> the
>> SDL and map it to existing OWASP resources
>>>       - Release Version 1, and collect feedback from the community
>>>
>>>       - Version 2: Based on information collected, add/remove/alter SDL
>> Phases and/or practices
>>>       - Release Version 2, and collect feedback from the community ....
>>> (repeat indefinitely)
>>>
>>> This is just to get the conversation started - suggestions?
>>>
>>> Thanks team,
>>>
>>> Jerry
>>> _______________________________________________
>>> Owasp_sdl mailing list
>>> Owasp_sdl at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp_sdl
>>>
>>> _______________________________________________
>>> Owasp_sdl mailing list
>>> Owasp_sdl at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp_sdl
>>>

_______________________________________________
Owasp_sdl mailing list
Owasp_sdl at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp_sdl




-- 

 

----------------------------------------------------------------

Edward Bonver

edward at owasp.org

(818) 620-5778

Linkedin: http://www.linkedin.com/in/bonver

 

 




-- 

 

----------------------------------------------------------------

Edward Bonver

edward at owasp.org

(818) 620-5778

Linkedin: http://www.linkedin.com/in/bonver

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp_sdl/attachments/20110309/0e5f556d/attachment-0001.html 


More information about the Owasp_sdl mailing list