[Owasp_sdl] SDL

Jerry Hoff jerry at owasp.org
Thu Mar 10 13:05:07 EST 2011


Ok, so we are on for a skype call at 10am PST on Friday.  My skype id is
jerryhoff, feel free to add me and we'll do a skype conference on Friday.

Jerry

On 3/10/11 10:08 AM, dinis cruz wrote:
> This Friday I'm actually in Ireland for the OWASP Training Day, so not
> sure if I will be able to make this call, but please go forward and
> have it since there is good energy here.
>
> Dinis Cruz
>
>
> On 9 March 2011 17:46, Jerry Hoff <jerry at owasp.org
> <mailto:jerry at owasp.org>> wrote:
>
>     Good idea Edward. 
>
>     How does Friday sound to everyone?  What time zones are we all
>     in?  I think now that I am back in the US, we are all on the same
>     continent (with the exception of Dinis).  Would 10am PST Friday,
>     March 11 work for everyone? 
>
>     Jerry
>
>
>     On 3/9/11 11:19 AM, Edward Bonver wrote:
>>     Jerry, thanks for kicking this project off the ground!
>>      
>>     Maybe we should all have a quick conf call to sync up, and
>>     finalize the intended audience/direction/next steps, before we
>>     start any kind of activities, such as mapping current projects?
>>      
>>     Regards,
>>      
>>     --Edward--
>>
>>     On Wed, Mar 9, 2011 at 9:08 AM, Jerry Hoff <jerry at owasp.org
>>     <mailto:jerry at owasp.org>> wrote:
>>
>>         Hi Anurag,
>>
>>         Cool - I'm really, really big into collecting
>>         data/observation as a
>>         first step towards everything in life.  We can and should
>>         reach out to
>>         both small/mid/large cap companies and get information from
>>         their sec
>>         folk.  The collection of data is always good.
>>
>>         However, this isn't to say that the findings should override the
>>         existing SDL we have at hand, developed at Microsoft.  The
>>         very nature
>>         of cutting-edge research is that everyone *isn't* doing it.
>>
>>         Is anyone in the "anti-data collection" camp?  If so, feel
>>         free to make
>>         your case.  People in the "pro-data collection" camp, please
>>         throw out
>>         examples of questions we can put into a questionnaire and
>>         then send out
>>         to sec folk.
>>
>>         In the meantime, it would be good to start at least generally
>>         mapping
>>         existing, mature OWASP projects into the existing phases of
>>         the current
>>         simplified SDL.  I'll make a google doc for that end and send
>>         out the link.
>>
>>         Jerry
>>
>>
>>
>>         On 3/9/11 10:55 AM, Anurag Agarwal wrote:
>>         > Jerry - you would be surprised how many large enterprises
>>         are looking for
>>         > something like this. Though I agree with you that they may
>>         have resources
>>         > but most of those people don't come from development
>>         background and pick and
>>         > choose what they understand or can implement. OWASP SDL
>>         might give them a
>>         > proper structure around it. For e.g. Keith Turpin may not
>>         need it but Nishi
>>         > might find it useful.
>>         >
>>         > By no means am I suggesting we should get them on board but
>>         I think it
>>         > wouldn't hurt if they do join us. We can send them an
>>         invite and its upto
>>         > them to join.
>>         >
>>         > Just my .02 cents.
>>         >
>>         > Thanks,
>>         >
>>         > Anurag Agarwal
>>         > MyAppSecurity Inc
>>         > Cell - 919-244-0803
>>         > Email - anurag at myappsecurity.com
>>         <mailto:anurag at myappsecurity.com>
>>         > Website - http://www.myappsecurity.com
>>         <http://www.myappsecurity.com/>
>>         > Blog - http://myappsecurity.blogspot.com
>>         <http://myappsecurity.blogspot.com/>
>>         > LinkedIn - http://www.linkedin.com/in/myappsecurity
>>         >
>>         > -----Original Message-----
>>         > From: Jerry Hoff [mailto:jerry at owasp.org
>>         <mailto:jerry at owasp.org>]
>>         > Sent: Wednesday, March 09, 2011 11:48 AM
>>         > To: Anurag Agarwal
>>         > Cc: 'Jeremy Dallman'; owasp_sdl at lists.owasp.org
>>         <mailto:owasp_sdl at lists.owasp.org>
>>         > Subject: Re: [Owasp_sdl] SDL
>>         >
>>         > Hi Anurag,
>>         >
>>         > Well, that brings up a good point.  BSIMM apparently did
>>         just that, so
>>         > that research is more or less out there already.  My gut
>>         feeling is that
>>         > the most likely candidates to use the OWASP SDL are
>>         small-to-mid sized
>>         > companies.  Large companies will have dedicated resources /
>>         consultants
>>         > to put together a custom SDL for them.
>>         >
>>         > So if we were going to seek more input, I think it should
>>         be security
>>         > folk from small / mid-cap companies who have put together a
>>         successful
>>         > security program with more limited resources.
>>         >
>>         > Rowdy dissension welcome...
>>         >
>>         > Jerry
>>         >
>>         >
>>         >
>>         >
>>         > On 3/9/11 8:22 AM, Anurag Agarwal wrote:
>>         >> Hey guys - Do you think we should get security folks from
>>         couple of large
>>         >> enterprises to be a part of this group and share their
>>         experiences on what
>>         >> works and what doesn't for them.
>>         >>
>>         >> Thoughts?
>>         >>
>>         >>
>>         >> Thanks,
>>         >>
>>         >> Anurag Agarwal
>>         >> MyAppSecurity Inc
>>         >> Cell - 919-244-0803
>>         >> Email - anurag at myappsecurity.com
>>         <mailto:anurag at myappsecurity.com>
>>         >> Website - http://www.myappsecurity.com
>>         <http://www.myappsecurity.com/>
>>         >> Blog - http://myappsecurity.blogspot.com
>>         <http://myappsecurity.blogspot.com/>
>>         >> LinkedIn - http://www.linkedin.com/in/myappsecurity
>>         >>
>>         >> -----Original Message-----
>>         >> From: Jerry Hoff [mailto:jerry at owasp.org
>>         <mailto:jerry at owasp.org>]
>>         >> Sent: Tuesday, March 08, 2011 12:17 PM
>>         >> To: Jeremy Dallman
>>         >> Cc: Anurag Agarwal; owasp_sdl at lists.owasp.org
>>         <mailto:owasp_sdl at lists.owasp.org>
>>         >> Subject: Re: [Owasp_sdl] SDL
>>         >>
>>         >> Hi Jeremy,
>>         >>
>>         >> Great points.  Here are my thoughts:
>>         >>
>>         >> 1 - Agreed on avoid re-hashing, but personally I have
>>         found it useful
>>         >> when advising clients on SDL matters to have a list of
>>         available owasp
>>         >> and other resources at hand to give them.  Agreed also
>>         that the SDL
>>         >> focuses on Microsoft platforms - however it is to be
>>         expected that we
>>         >> may determine none, some or even all of the steps may need
>>         to be
>>         >> reorganized or revised to fit more general needs.
>>         >>
>>         >> 2 - It sounds like these would be all be fantastic.  To
>>         start with, I
>>         >> think we should focus on OWASP SDL for Web Development,
>>         since the
>>         >> primary focus of OWASP (but obviously not the exclusive
>>         focus) is web
>>         >> development.  I think then quickly following after the SDL
>>         for web would
>>         >> be SDL for mobile&   SDL for cloud.
>>         >>
>>         >> Thoughts anyone?
>>         >>
>>         >> Thank you Jeremy,
>>         >> Jerry
>>         >>
>>         >> On 3/8/11 10:37 AM, Jeremy Dallman wrote:
>>         >>> A couple of quick thoughts here... I'll sit down and
>>         think about this
>>         > more
>>         >> in the coming days.
>>         >>> 1. Scope: It would be great if we could focus on a
>>         platform to avoid
>>         >> re-hashing resources that are already available in our
>>         first round. I
>>         > think
>>         >> this would provide a level of value to OWASP customers
>>         that they cannot
>>         > find
>>         >> elsewhere. The Microsoft SDL obviously focuses on
>>         Microsoft platforms.
>>         >> Showing that the Simplified SDL model applies to platforms
>>         outside of
>>         >> Microsoft would be a great message.
>>         >>> 2. As for naming: I'm fine with OWASP SDL Project, but it
>>         may garner more
>>         >> attention if we accentuate the platform we are focusing on
>>         (assuming
>>         >> #1)...e.g. "SDL for OpenBSD" or "SDL for Cloud" or "SDL
>>         for Mobile".
>>         >>> Jeremy Dallman
>>         >>> Senior Security Program Manager
>>         >>> Security Development Lifecycle
>>         >>> Microsoft Security Engineering Center
>>         >>> p: 425.705.6787
>>         >>> c: 425.761.2011
>>         >>>
>>         >>> -----Original Message-----
>>         >>> From: owasp_sdl-bounces at lists.owasp.org
>>         <mailto:owasp_sdl-bounces at lists.owasp.org>
>>         >> [mailto:owasp_sdl-bounces at lists.owasp.org
>>         <mailto:owasp_sdl-bounces at lists.owasp.org>] On Behalf Of
>>         Anurag Agarwal
>>         >>> Sent: Monday, March 07, 2011 6:34 PM
>>         >>> To: 'Jerry Hoff'; owasp_sdl at lists.owasp.org
>>         <mailto:owasp_sdl at lists.owasp.org>
>>         >>> Subject: Re: [Owasp_sdl] SDL
>>         >>>
>>         >>> I think it's a good start. Just one thing though. There
>>         are so many
>>         >> resources related to SDL outside of OWASP, which should be
>>         mentioned too.
>>         >>> Thanks,
>>         >>>
>>         >>> Anurag Agarwal
>>         >>> MyAppSecurity Inc
>>         >>> Cell - 919-244-0803
>>         >>> Email - anurag at myappsecurity.com
>>         <mailto:anurag at myappsecurity.com>
>>         >>> Website - http://www.myappsecurity.com
>>         <http://www.myappsecurity.com/>
>>         >>> Blog - http://myappsecurity.blogspot.com
>>         <http://myappsecurity.blogspot.com/> LinkedIn -
>>         >> http://www.linkedin.com/in/myappsecurity
>>         >>> -----Original Message-----
>>         >>> From: owasp_sdl-bounces at lists.owasp.org
>>         <mailto:owasp_sdl-bounces at lists.owasp.org>
>>         >>> [mailto:owasp_sdl-bounces at lists.owasp.org
>>         <mailto:owasp_sdl-bounces at lists.owasp.org>] On Behalf Of
>>         Jerry Hoff
>>         >>> Sent: Tuesday, March 08, 2011 4:19 AM
>>         >>> To: owasp_sdl at lists.owasp.org
>>         <mailto:owasp_sdl at lists.owasp.org>
>>         >>> Subject: [Owasp_sdl] SDL
>>         >>>
>>         >>> Hello OWASP SDL members!
>>         >>>
>>         >>> Time to get this list talking.  Sorry, I have been in
>>         flux over the last
>>         >> few weeks - basically moving from Asia to North America.
>>          But at last I am
>>         >> on terra firma.
>>         >>> To get started, we should decide a few things:
>>         >>>
>>         >>> 1) Name of the project.  Is "the OWASP SDL project"
>>         acceptable, or does
>>         >> anyone have any other suggestions?
>>         >>> 2) Scope of the project.  My basic roadmap is the following:
>>         >>>
>>         >>>       - Version 1: Go through the existing Simplified
>>         Implementation of
>>         > the
>>         >> SDL and map it to existing OWASP resources
>>         >>>       - Release Version 1, and collect feedback from the
>>         community
>>         >>>
>>         >>>       - Version 2: Based on information collected,
>>         add/remove/alter SDL
>>         >> Phases and/or practices
>>         >>>       - Release Version 2, and collect feedback from the
>>         community ....
>>         >>> (repeat indefinitely)
>>         >>>
>>         >>> This is just to get the conversation started - suggestions?
>>         >>>
>>         >>> Thanks team,
>>         >>>
>>         >>> Jerry
>>         >>> _______________________________________________
>>         >>> Owasp_sdl mailing list
>>         >>> Owasp_sdl at lists.owasp.org <mailto:Owasp_sdl at lists.owasp.org>
>>         >>> https://lists.owasp.org/mailman/listinfo/owasp_sdl
>>         >>>
>>         >>> _______________________________________________
>>         >>> Owasp_sdl mailing list
>>         >>> Owasp_sdl at lists.owasp.org <mailto:Owasp_sdl at lists.owasp.org>
>>         >>> https://lists.owasp.org/mailman/listinfo/owasp_sdl
>>         >>>
>>
>>         _______________________________________________
>>         Owasp_sdl mailing list
>>         Owasp_sdl at lists.owasp.org <mailto:Owasp_sdl at lists.owasp.org>
>>         https://lists.owasp.org/mailman/listinfo/owasp_sdl
>>
>>
>>
>>
>>     -- 
>>      
>>     ----------------------------------------------------------------
>>     Edward Bonver
>>     edward at owasp.org <mailto:edward at owasp.org>
>>     (818) 620-5778
>>     Linkedin: http://www.linkedin.com/in/bonver
>>
>>
>
>
>     _______________________________________________
>     Owasp_sdl mailing list
>     Owasp_sdl at lists.owasp.org <mailto:Owasp_sdl at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp_sdl
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp_sdl/attachments/20110310/696da1ee/attachment-0001.html 


More information about the Owasp_sdl mailing list