Dev Outreach: Where do we go from here?
4 views
Skip to first unread message
John Wilander
Mar 27, 2011, 6:39:02 PM3/27/11
to OWASP Dev Outreach Discuss
Hi Dev Outreach Discuss!
As said on the steering list we now have an official home for the
OWASP Builders:
http://www.owasp.org/index.php/Builders
... with a tab that summarizes the results of the initial developer
outreach:
http://www.owasp.org/index.php/Builders#tab=Developer_Outreach
The questions are many:
* What conclusions can we draw?
* How can OWASP engage in the right things ahead?
* How do we set up a more ambitious outreach using a proper survey
etc?
Regards, John
As said on the steering list we now have an official home for the
OWASP Builders:
http://www.owasp.org/index.php/Builders
... with a tab that summarizes the results of the initial developer
outreach:
http://www.owasp.org/index.php/Builders#tab=Developer_Outreach
The questions are many:
* What conclusions can we draw?
* How can OWASP engage in the right things ahead?
* How do we set up a more ambitious outreach using a proper survey
etc?
Regards, John
JIM BIRD
Mar 31, 2011, 6:00:40 PM3/31/11
to owasp-dev-out...@googlegroups.com
I suggest pick one problem where the OWASP community can help and make a real difference, and focus on doing something about it. The number one problem that developers (including me) identified is the lack of secure development frameworks. It makes sense to me to start with what people have said is most important.
Jim Manico has some ideas on how OWASP can help with this, and knows about people who are working on making frameworks more secure. As Jim explained at the SANS Appsec conference this year, it's not necessary to secure every framework to make a difference. There are a small number of common frameworks; making them more safe to use will make a big difference - and hopefully create a snowball effect, as more people get involved and start understanding the problems and trying to solve them.
Rohit Sethi and his team are working on helping to helping to secure Django and he has some good ideas on what can be done on secure frameworks.
http://labs.securitycompass.com/index.php/2011/03/11/closing-the-secure-web-application-framework-manifesto-project/
I am sure there are other people doing good work like this.
My suggestion is to start by setting up something in the Builders section to track and publicize who is doing what to help make which frameworks secure by default - or at least safer to use.Create some buzz, see who is interested and who is already involved, and build some momentum. And show how OWASP is helping the community, attract more developers to the cause.
I am sure other people will have more concrete ideas of what to do next.
Jim Bird
Jim Manico has some ideas on how OWASP can help with this, and knows about people who are working on making frameworks more secure. As Jim explained at the SANS Appsec conference this year, it's not necessary to secure every framework to make a difference. There are a small number of common frameworks; making them more safe to use will make a big difference - and hopefully create a snowball effect, as more people get involved and start understanding the problems and trying to solve them.
Rohit Sethi and his team are working on helping to helping to secure Django and he has some good ideas on what can be done on secure frameworks.
http://labs.securitycompass.com/index.php/2011/03/11/closing-the-secure-web-application-framework-manifesto-project/
I am sure there are other people doing good work like this.
My suggestion is to start by setting up something in the Builders section to track and publicize who is doing what to help make which frameworks secure by default - or at least safer to use.Create some buzz, see who is interested and who is already involved, and build some momentum. And show how OWASP is helping the community, attract more developers to the cause.
I am sure other people will have more concrete ideas of what to do next.
Jim Bird
Jim Manico
Apr 2, 2011, 2:48:54 PM4/2/11
to owasp-dev-out...@googlegroups.com, owasp-dev-out...@googlegroups.com, Rohit Sethi
Thanks Jim.
Rohit is a big part of this: He is working with the Django Framework and is starting to form a cross-organization "think tank" so FOSS Framework teams can approach an expert committee in private to discuss AppSec issues. Several banks have asked for the same kind of private, objective, non-commercial resource.
OWASP's mission of "Open" makes it a challenge to make this an official OWASP project which is why I think a "cross-organization committee" is key.
-Jim Manico
http://manico.net
Reply all
Reply to author
Forward
0 new messages