-----Original Message-----
From: Jim Manico [mailto:jim.m...@owasp.org]
Sent: Saturday, April 02, 2011 2:49 PM
To: owasp-dev-out...@googlegroups.com
Cc: owasp-dev-out...@googlegroups.com; Sethi, Rohit
Subject: Re: Dev Outreach: Where do we go from here?
Thanks Jim.
Rohit is a big part of this: He is working with the Django Framework and is starting to form a cross-organization "think tank" so FOSS Framework teams can approach an expert committee in private to discuss AppSec issues. Several banks have asked for the same kind of private, objective, non-commercial resource.
OWASP's mission of "Open" makes it a challenge to make this an official OWASP project which is why I think a "cross-organization committee" is key.
-Jim Manico
http://manico.net
On Mar 31, 2011, at 12:00 PM, JIM BIRD <jim...@shaw.ca> wrote:
> I suggest pick one problem where the OWASP community can help and make a real difference, and focus on doing something about it. The number one problem that developers (including me) identified is the lack of secure development frameworks. It makes sense to me to start with what people have said is most important.
>
> Jim Manico has some ideas on how OWASP can help with this, and knows about people who are working on making frameworks more secure. As Jim explained at the SANS Appsec conference this year, it's not necessary to secure every framework to make a difference. There are a small number of common frameworks; making them more safe to use will make a big difference - and hopefully create a snowball effect, as more people get involved and start understanding the problems and trying to solve them.
>
> Rohit Sethi and his team are working on helping to helping to secure Django and he has some good ideas on what can be done on secure frameworks.
> http://labs.securitycompass.com/index.php/2011/03/11/closing-the-secure-web-application-framework-manifesto-project/
>
> I am sure there are other people doing good work like this.
>
> My suggestion is to start by setting up something in the Builders section to track and publicize who is doing what to help make which frameworks secure by default - or at least safer to use.Create some buzz, see who is interested and who is already involved, and build some momentum. And show how OWASP is helping the community, attract more developers to the cause.
>
> I am sure other people will have more concrete ideas of what to do next.
>
> Jim Bird
>
> ----- Original Message -----
> From: John Wilander <john.w...@owasp.org>
> Date: Sunday, March 27, 2011 4:39 pm
> Subject: Dev Outreach: Where do we go from here?
> To: OWASP Dev Outreach Discuss <owasp-dev-out...@googlegroups.com>
>
> > Hi Dev Outreach Discuss!
> >
> > As said on the steering list we now have an official home for the
> > OWASP Builders:
> > http://www.owasp.org/index.php/Builders
> >
> > ... with a tab that summarizes the results of the initial developer
> > outreach:
> > http://www.owasp.org/index.php/Builders#tab=Developer_Outreach
> >
> > The questions are many:
> > * What conclusions can we draw?
> > * How can OWASP engage in the right things ahead?
> > * How do we set up a more ambitious outreach using a proper survey
> > etc?
> >
> > Regards, John
> >
Also, I think one mistake from the manifesto project was to restrict
to "frameworks" when really there are many open source libraries that
have a major impact on web application security besides standard MVC
frameworks. For scoping reasons it may make sense to start with MVC
but we shouldn't stop there.
> http://www.owasp.org/index.php/Global_Conferences_Committee<http://owaspsweden.blogspot.com>
>
--
Sent from my mobile device