Following from Nick's presentation on Amazing presentation on integrating security into the SDL , my look into Etsy's Code as Craft blog and my experiment with Graphite (see Measure Anything, Measure Everything, AppSensor and Simple Graphite Hosting).
I have to say that I have been more and more impressed with Etsy's pragmatic and focused approach to application security.
For example check these out:
- Scaling User Security (where they described their experience in: 'Rolling out Full Site SSL' and 'Two factor authentication'
- Announcing the Etsy Security Bug Bounty Program
- Couple more posts tagged as 'security': http://codeascraft.etsy.com/category/security/
- Etsy has been one of the best companies I've reported holes to. (reddit thread)
- Effective approaches to web application security (haven't read it but looks like another really 'must see' presentation'
This is 'real-world' stuff and its what happens when there is a good awareness on the importance and need for doing security.
As you can see, here is a team (from management to engineering) that 'gets' application security, and these are the guys that should be driving a number of OWASP's initiatives, since they represent the 'real-world'. Please correct me if I'm wrong, but a google and owasp search (for 'OWASP Etsy') didn't show a lot of joint activity (the best ones where Nick's participation in the AppSec USA and this job post mentioning the OWASP Top 10). It would be great to see Etsy's guys pushing projects like: AppSensor, ESAPI, Zap, Testing+Developer+Code-Review guides, O2, Exams/Certification, etc...
We (OWASP) need to find ways go get these guys more involved and put them on the driving seat.
In fact, for the next OWASP Summit, we have to make sure these guys are there, working collaboratively with the best minds in Application Security :)