Wednesday, 31 October 2012

Etsy.com - A case study on how to do security right?

First a quick disclaimer that as far as I can think of, I don't know anybody at Etsy.com or had any conversations with them in the past.

Following from Nick's presentation on Amazing presentation on integrating security into the SDL ,  my look into Etsy's Code as Craft blog and my experiment with Graphite (see Measure Anything, Measure Everything, AppSensor and Simple Graphite Hosting).

I have to say that I have been more and more impressed with Etsy's pragmatic and focused approach to application security.

For example check these out:


This is 'real-world' stuff and its what happens when there is a good awareness on the importance and need for doing security.

As you can see,  here is a team (from management to engineering) that 'gets' application security, and these are the guys that should be driving a number of OWASP's initiatives, since they represent the 'real-world'. Please correct me if I'm wrong, but a google and owasp search (for 'OWASP Etsy') didn't show a lot of joint activity (the best ones where Nick's participation in the AppSec USA and this job post mentioning the OWASP Top 10). It would be great to see Etsy's guys pushing projects like: AppSensor, ESAPI, Zap, Testing+Developer+Code-Review guides, O2, Exams/Certification, etc...

We (OWASP) need to find ways go get these guys more involved and put them on the driving seat.

In fact, for the next OWASP Summit, we have to make sure these guys are there, working collaboratively with the best minds in Application Security :)