This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Security Ecosystem Project

Revision as of 12:33, 17 February 2010 by Jeff Williams (talk | contribs) (initial draft)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

The time has come for OWASP to do even more to lead technology companies towards getting their software secure! One key component of achieving secure software is to have a thriving community ecosystem focused on the security of the technology. A few organizations are starting to build these, like Microsoft’s BlueHat community and perhaps a few others. But there’s a huge opportunity for us to do better and OWASP is uniquely positioned to lead this important effort.

The OWASP Security Ecosystem Project

OWASP has recently been approached by several large SaaS vendors to help them work improve their security. We’ll be announcing these vendors and launching their ecosystems as soon as we get permission. Now is the time for us to organize our “Security Ecosytem Project” so that we are ready to help get these programs off the ground quickly and successfully.

So what is a “security ecosystem”?

Nobody (and no company) can build secure software by themselves. We have seen that vulnerability research can help to drive security forward in companies, but it’s a painful process. We envision a partnership between technology platform vendors and a thriving ecosystem focused on the security of their technology. The ecosystem will include researchers (both builders and breakers), tools, libraries, guidelines, awareness materials, standards, education, conferences, forums, feeds, announcements, and probably more.

Why collaborate with vendors?

It might be possible for OWASP to try to start an ecosystem without the vendor’s involvement. In fact the OWASP Java and .NET project fit that description. But these efforts will always seem like a threat to technology vendors. Vendors might start their own ecosystem, but it is much more likely to succeed with an independent partner like OWASP. The OWASP Ecosystem Project is intended to help create a collaborative open effort focused on improving the security of the technology by focusing on visibility, understanding, and informed decisions about risk. OWASP’s independence and positive approach makes us the perfect environment for these ecosystems to grow.

How do we get started?

The first step is to create a framework for a healthy security ecosystem! Then we can choose a few key technologies and vendors that want to work with us to start. We need to pull together the materials we have and other materials out on the net into a OWASP Security Ecosystem Portal. To grow the ecosystem, we’ll solicit research, tools, and other materials and work with both end-users and the vendor to focus on eliminating the key risks associated with the technology.

The future!

This could mark the dawning of a new collaborative era of application security, where companies actively engage with security researchers in order to make their products better. Everyone benefits by creating an ecosystem focused on fostering transparency. The time has come for security experts and software developers to collaborate. The stakes are way too high to waste time and effort on obscurity and infighting.

Join us

We're looking for energetic technical leaders who would like to build a thriving security ecosystem around a technology. If you have at least 10 hours a week to dedicate to this important effort, and you think you're the right person, contact us at [email protected]