Tuesday 31 May 2011

Let's Hack Google :)

Google just took another step in improving the state of their web applications: Rewarding Web Application Security Research. Kudos to them, and I hope this program is a great success.

This is a great development for WebAppSec (following on the footsteps of others like Mozilla)

Unfortunately this page also show how weak the OWASP brand is, since there is NO mention of OWASP on that page.

For the ones that keep worrying about 'abuses of the OWASP brand' , I am much more worried about the cases where it IS not used (like this one).And every-time we kick a fuzz about 'somebody XYZ is abusing the OWASP brand' is another sign we send to the outside world that we are a mess to deal with.

The way OWASP should measure success is by the opportunities that we are able to materialize. And our failures are the opportunities we miss. This was a good opportunity missed.

But we are not too late to join the party, so the interesting question is "What can we do, so that Google (and others) point to OWASP resources in pages like this?". We have good/amazing quality materials at owasp.org that could be referenced, and ideally we should also take the opportunity to add the 'how to fix it' angle (this would highlight the power that OWASP has since we can cover the: attack, detect, mitigate, fix and defend angles)

And if a new 'clean' website with only a couple owasp references is needed (with more details being provided via links to the main owasp.org website), then why don't we just do that!

Another interesting angle would be to use this type of public initiative as a sign of 'Security SDL maturity' by companies. So far, the data points to the fact that only companies that have a very solid SDL and security teams are confident enough to make this type of public statement (for example why isn't Sony doing the same thing :) ) . The Firefox crowd actually has good metrics on this (as presented at the Summit) and it would be great to explore more this concept/idea.