[Owasp_sdl] SDL

Jason Taylor jason.taylor at owasp.org
Thu Mar 10 13:58:01 EST 2011


My skype ID is tlaloc75.

Jason

On Mar 10, 2011, at 11:05 AM, Jerry Hoff wrote:

> Ok, so we are on for a skype call at 10am PST on Friday.  My skype id is jerryhoff, feel free to add me and we'll do a skype conference on Friday.
> 
> Jerry
> 
> On 3/10/11 10:08 AM, dinis cruz wrote:
>> 
>> This Friday I'm actually in Ireland for the OWASP Training Day, so not sure if I will be able to make this call, but please go forward and have it since there is good energy here.
>> 
>> Dinis Cruz
>> 
>> 
>> On 9 March 2011 17:46, Jerry Hoff <jerry at owasp.org> wrote:
>> Good idea Edward.  
>> 
>> How does Friday sound to everyone?  What time zones are we all in?  I think now that I am back in the US, we are all on the same continent (with the exception of Dinis).  Would 10am PST Friday, March 11 work for everyone?  
>> 
>> Jerry
>> 
>> 
>> On 3/9/11 11:19 AM, Edward Bonver wrote:
>>> 
>>> Jerry, thanks for kicking this project off the ground!
>>>  
>>> Maybe we should all have a quick conf call to sync up, and finalize the intended audience/direction/next steps, before we start any kind of activities, such as mapping current projects?
>>>  
>>> Regards,
>>>  
>>> --Edward--
>>> 
>>> On Wed, Mar 9, 2011 at 9:08 AM, Jerry Hoff <jerry at owasp.org> wrote:
>>> Hi Anurag,
>>> 
>>> Cool - I'm really, really big into collecting data/observation as a
>>> first step towards everything in life.  We can and should reach out to
>>> both small/mid/large cap companies and get information from their sec
>>> folk.  The collection of data is always good.
>>> 
>>> However, this isn't to say that the findings should override the
>>> existing SDL we have at hand, developed at Microsoft.  The very nature
>>> of cutting-edge research is that everyone *isn't* doing it.
>>> 
>>> Is anyone in the "anti-data collection" camp?  If so, feel free to make
>>> your case.  People in the "pro-data collection" camp, please throw out
>>> examples of questions we can put into a questionnaire and then send out
>>> to sec folk.
>>> 
>>> In the meantime, it would be good to start at least generally mapping
>>> existing, mature OWASP projects into the existing phases of the current
>>> simplified SDL.  I'll make a google doc for that end and send out the link.
>>> 
>>> Jerry
>>> 
>>> 
>>> 
>>> On 3/9/11 10:55 AM, Anurag Agarwal wrote:
>>> > Jerry - you would be surprised how many large enterprises are looking for
>>> > something like this. Though I agree with you that they may have resources
>>> > but most of those people don't come from development background and pick and
>>> > choose what they understand or can implement. OWASP SDL might give them a
>>> > proper structure around it. For e.g. Keith Turpin may not need it but Nishi
>>> > might find it useful.
>>> >
>>> > By no means am I suggesting we should get them on board but I think it
>>> > wouldn't hurt if they do join us. We can send them an invite and its upto
>>> > them to join.
>>> >
>>> > Just my .02 cents.
>>> >
>>> > Thanks,
>>> >
>>> > Anurag Agarwal
>>> > MyAppSecurity Inc
>>> > Cell - 919-244-0803
>>> > Email - anurag at myappsecurity.com
>>> > Website - http://www.myappsecurity.com
>>> > Blog - http://myappsecurity.blogspot.com
>>> > LinkedIn - http://www.linkedin.com/in/myappsecurity
>>> >
>>> > -----Original Message-----
>>> > From: Jerry Hoff [mailto:jerry at owasp.org]
>>> > Sent: Wednesday, March 09, 2011 11:48 AM
>>> > To: Anurag Agarwal
>>> > Cc: 'Jeremy Dallman'; owasp_sdl at lists.owasp.org
>>> > Subject: Re: [Owasp_sdl] SDL
>>> >
>>> > Hi Anurag,
>>> >
>>> > Well, that brings up a good point.  BSIMM apparently did just that, so
>>> > that research is more or less out there already.  My gut feeling is that
>>> > the most likely candidates to use the OWASP SDL are small-to-mid sized
>>> > companies.  Large companies will have dedicated resources / consultants
>>> > to put together a custom SDL for them.
>>> >
>>> > So if we were going to seek more input, I think it should be security
>>> > folk from small / mid-cap companies who have put together a successful
>>> > security program with more limited resources.
>>> >
>>> > Rowdy dissension welcome...
>>> >
>>> > Jerry
>>> >
>>> >
>>> >
>>> >
>>> > On 3/9/11 8:22 AM, Anurag Agarwal wrote:
>>> >> Hey guys - Do you think we should get security folks from couple of large
>>> >> enterprises to be a part of this group and share their experiences on what
>>> >> works and what doesn't for them.
>>> >>
>>> >> Thoughts?
>>> >>
>>> >>
>>> >> Thanks,
>>> >>
>>> >> Anurag Agarwal
>>> >> MyAppSecurity Inc
>>> >> Cell - 919-244-0803
>>> >> Email - anurag at myappsecurity.com
>>> >> Website - http://www.myappsecurity.com
>>> >> Blog - http://myappsecurity.blogspot.com
>>> >> LinkedIn - http://www.linkedin.com/in/myappsecurity
>>> >>
>>> >> -----Original Message-----
>>> >> From: Jerry Hoff [mailto:jerry at owasp.org]
>>> >> Sent: Tuesday, March 08, 2011 12:17 PM
>>> >> To: Jeremy Dallman
>>> >> Cc: Anurag Agarwal; owasp_sdl at lists.owasp.org
>>> >> Subject: Re: [Owasp_sdl] SDL
>>> >>
>>> >> Hi Jeremy,
>>> >>
>>> >> Great points.  Here are my thoughts:
>>> >>
>>> >> 1 - Agreed on avoid re-hashing, but personally I have found it useful
>>> >> when advising clients on SDL matters to have a list of available owasp
>>> >> and other resources at hand to give them.  Agreed also that the SDL
>>> >> focuses on Microsoft platforms - however it is to be expected that we
>>> >> may determine none, some or even all of the steps may need to be
>>> >> reorganized or revised to fit more general needs.
>>> >>
>>> >> 2 - It sounds like these would be all be fantastic.  To start with, I
>>> >> think we should focus on OWASP SDL for Web Development, since the
>>> >> primary focus of OWASP (but obviously not the exclusive focus) is web
>>> >> development.  I think then quickly following after the SDL for web would
>>> >> be SDL for mobile&   SDL for cloud.
>>> >>
>>> >> Thoughts anyone?
>>> >>
>>> >> Thank you Jeremy,
>>> >> Jerry
>>> >>
>>> >> On 3/8/11 10:37 AM, Jeremy Dallman wrote:
>>> >>> A couple of quick thoughts here... I'll sit down and think about this
>>> > more
>>> >> in the coming days.
>>> >>> 1. Scope: It would be great if we could focus on a platform to avoid
>>> >> re-hashing resources that are already available in our first round. I
>>> > think
>>> >> this would provide a level of value to OWASP customers that they cannot
>>> > find
>>> >> elsewhere. The Microsoft SDL obviously focuses on Microsoft platforms.
>>> >> Showing that the Simplified SDL model applies to platforms outside of
>>> >> Microsoft would be a great message.
>>> >>> 2. As for naming: I'm fine with OWASP SDL Project, but it may garner more
>>> >> attention if we accentuate the platform we are focusing on (assuming
>>> >> #1)...e.g. "SDL for OpenBSD" or "SDL for Cloud" or "SDL for Mobile".
>>> >>> Jeremy Dallman
>>> >>> Senior Security Program Manager
>>> >>> Security Development Lifecycle
>>> >>> Microsoft Security Engineering Center
>>> >>> p: 425.705.6787
>>> >>> c: 425.761.2011
>>> >>>
>>> >>> -----Original Message-----
>>> >>> From: owasp_sdl-bounces at lists.owasp.org
>>> >> [mailto:owasp_sdl-bounces at lists.owasp.org] On Behalf Of Anurag Agarwal
>>> >>> Sent: Monday, March 07, 2011 6:34 PM
>>> >>> To: 'Jerry Hoff'; owasp_sdl at lists.owasp.org
>>> >>> Subject: Re: [Owasp_sdl] SDL
>>> >>>
>>> >>> I think it's a good start. Just one thing though. There are so many
>>> >> resources related to SDL outside of OWASP, which should be mentioned too.
>>> >>> Thanks,
>>> >>>
>>> >>> Anurag Agarwal
>>> >>> MyAppSecurity Inc
>>> >>> Cell - 919-244-0803
>>> >>> Email - anurag at myappsecurity.com
>>> >>> Website - http://www.myappsecurity.com
>>> >>> Blog - http://myappsecurity.blogspot.com LinkedIn -
>>> >> http://www.linkedin.com/in/myappsecurity
>>> >>> -----Original Message-----
>>> >>> From: owasp_sdl-bounces at lists.owasp.org
>>> >>> [mailto:owasp_sdl-bounces at lists.owasp.org] On Behalf Of Jerry Hoff
>>> >>> Sent: Tuesday, March 08, 2011 4:19 AM
>>> >>> To: owasp_sdl at lists.owasp.org
>>> >>> Subject: [Owasp_sdl] SDL
>>> >>>
>>> >>> Hello OWASP SDL members!
>>> >>>
>>> >>> Time to get this list talking.  Sorry, I have been in flux over the last
>>> >> few weeks - basically moving from Asia to North America.  But at last I am
>>> >> on terra firma.
>>> >>> To get started, we should decide a few things:
>>> >>>
>>> >>> 1) Name of the project.  Is "the OWASP SDL project" acceptable, or does
>>> >> anyone have any other suggestions?
>>> >>> 2) Scope of the project.  My basic roadmap is the following:
>>> >>>
>>> >>>       - Version 1: Go through the existing Simplified Implementation of
>>> > the
>>> >> SDL and map it to existing OWASP resources
>>> >>>       - Release Version 1, and collect feedback from the community
>>> >>>
>>> >>>       - Version 2: Based on information collected, add/remove/alter SDL
>>> >> Phases and/or practices
>>> >>>       - Release Version 2, and collect feedback from the community ....
>>> >>> (repeat indefinitely)
>>> >>>
>>> >>> This is just to get the conversation started - suggestions?
>>> >>>
>>> >>> Thanks team,
>>> >>>
>>> >>> Jerry
>>> >>> _______________________________________________
>>> >>> Owasp_sdl mailing list
>>> >>> Owasp_sdl at lists.owasp.org
>>> >>> https://lists.owasp.org/mailman/listinfo/owasp_sdl
>>> >>>
>>> >>> _______________________________________________
>>> >>> Owasp_sdl mailing list
>>> >>> Owasp_sdl at lists.owasp.org
>>> >>> https://lists.owasp.org/mailman/listinfo/owasp_sdl
>>> >>>
>>> 
>>> _______________________________________________
>>> Owasp_sdl mailing list
>>> Owasp_sdl at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp_sdl
>>> 
>>> 
>>> 
>>> -- 
>>>  
>>> ----------------------------------------------------------------
>>> Edward Bonver
>>> edward at owasp.org
>>> (818) 620-5778
>>> Linkedin: http://www.linkedin.com/in/bonver
>>> 
>>> 
>> 
>> 
>> _______________________________________________
>> Owasp_sdl mailing list
>> Owasp_sdl at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp_sdl
>> 
>> 
> 
> _______________________________________________
> Owasp_sdl mailing list
> Owasp_sdl at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_sdl

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp_sdl/attachments/20110310/30a6f3ea/attachment-0001.html 


More information about the Owasp_sdl mailing list