This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Summit 2011 Working Sessions/Session061"

From OWASP
Jump to: navigation, search
Line 103: Line 103:
  
 
|-
 
|-
| summit_track_logo =  
+
| summit_track_logo = [[Image:T._owasp.jpg]]
| summit_ws_logo =  
+
| summit_ws_logo = [[Image:WS._owasp.jpg]]
| summit_session_name =  
+
| summit_session_name = Did OWASP Failed to achieve its full potential? (and lessons learned)
| summit_session_url =  
+
| summit_session_url = http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session091
 +
 
 +
| short_working_session_description= Although OWASP is a big success story in its almost 10 years of existence, could more had been achieved? Did OWASP fulfil its potential or should lessons be learned about what worked, what didn't work and what should be done differently in the future?
 +
 
 +
 
 +
Gunter Ollmann raises a number of important questions on [http://jeremiahgrossman.blogspot.com/2011/01/open-letter-to-owasp.html?showComment=1294441844053#c8066672109684414449 his answer to Jeremiah's blog post] :
 +
 
 +
''"...As someone who until fairly recently was deeply involved day-in, day-out with webapp security (and actively involved in OWASP projects) - but who now focused on other realms of security research - I'm disappointed that OWASP has failed to achieve its full potential.
 +
 
 +
OWASP needs to cross the chasm and address webapp security in the language that businesses can understand and action against. These businesses don't need to be preached to about technical inadequacies, what they need is specific guidance for their business vertical using the vocabulary they themselves use. And, more specifically, they need directly applicable worked-through examples of how their business will benefit from the proposed changes.
 +
 
 +
OWASP's traditional unguided "build it and they will come" approach has been largely unsuccessful and has had unexpected consequences (such as the PCI-DSS example).
 +
 
 +
Just like we can't expect a physicist to undertake a heart transplant just because someone handed him a medical journal detailing the process, we shouldn't be expecting embedded system engineers to pick up the OWASP application testing guide and suddenly producing secure code.
 +
 
 +
Translation of ideas or translation of ideals?..."''
  
| short_working_session_description=
 
  
 
|-
 
|-

Revision as of 12:56, 12 January 2011

Global Summit 2011 Home Page
Global Summit 2011 Tracks

WS. owasp.jpg Did OWASP Failed to achieve its full potential? (and lessons learned)
Please see/use the 'discussion' page for more details about this Working Session
Working Sessions Operational Rules - Please see here the general frame of rules.
WORKING SESSION IDENTIFICATION
Short Work Session Description Although OWASP is a big success story in its almost 10 years of existence, could more had been achieved? Did OWASP fulfil its potential or should lessons be learned about what worked, what didn't work and what should be done differently in the future?


Gunter Ollmann raises a number of important questions on his answer to Jeremiah's blog post :

"...As someone who until fairly recently was deeply involved day-in, day-out with webapp security (and actively involved in OWASP projects) - but who now focused on other realms of security research - I'm disappointed that OWASP has failed to achieve its full potential.

OWASP needs to cross the chasm and address webapp security in the language that businesses can understand and action against. These businesses don't need to be preached to about technical inadequacies, what they need is specific guidance for their business vertical using the vocabulary they themselves use. And, more specifically, they need directly applicable worked-through examples of how their business will benefit from the proposed changes.

OWASP's traditional unguided "build it and they will come" approach has been largely unsuccessful and has had unexpected consequences (such as the PCI-DSS example).

Just like we can't expect a physicist to undertake a heart transplant just because someone handed him a medical journal detailing the process, we shouldn't be expecting embedded system engineers to pick up the OWASP application testing guide and suddenly producing secure code.

Translation of ideas or translation of ideals?..."

Related Projects (if any)


Email Contacts & Roles Chair
Dinis Cruz

Operational Manager
Mailing list
{{{mailing_list}}}
WORKING SESSION SPECIFICS
Objectives

Venue/Date&Time/Model Venue/Room
OWASP Global Summit Portugal 2011
Date & Time


Discussion Model
participants and attendees

WORKING SESSION OPERATIONAL RESOURCES
Projector, whiteboards, markers, Internet connectivity, power

WORKING SESSION ADDITIONAL DETAILS
WORKING SESSION OUTCOMES / DELIVERABLES
Proposed by Working Group Approved by OWASP Board

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

{{{summit_session_deliverable_name6}}}

After the Board Meeting - fill in here.

{{{summit_session_deliverable_name7}}}

After the Board Meeting - fill in here.

{{{summit_session_deliverable_name8}}}

After the Board Meeting - fill in here.

Working Session Participants

(Add you name by clicking "edit" on the tab on the upper left side of this page)

WORKING SESSION PARTICIPANTS
Name Company Notes & reason for participating, issues to be discussed/addressed