Friday, 27 April 2012

Trustworthy Internet Movement and SSL Pulse

Ivan's interesting work at Qualys continues with the launch of the Trustworthy Internet Movement (TIM) and SSL Pulse at RSA.

There are a number of interesting developments here:

  • Great presentation and message
  • Real nice project page for SSL-Pulse: https://www.trustworthyinternet.org/ssl-pulse/
  • Good funded project: Its looks like they started with 500k USD investment from Philippe Courtot
  • Some efforts at creating a community (with a Join the Movement) although it doesn't say what happens next
  • Reuse of  Ivan's SSL Labs great work gives this 'Movement' a good momentum 
  • Now look at they fundamentals ('Innovation, Collaborate, Individual Expertise'), principle ('TIM’s mission is to resolve major lingering security issues on the Internet, such as SSL governance and the spread of botnets and malware, by ensuring security is built into the very fabric of private and public clouds, rather than being an afterthought.') and Target Audience ('Experts, Innovators and Technical gurus, Stakeholders, Corporations, Academic institutions and non-profit organizations, Angel investors and VCs')
    • Quite a targeted audience 
    • Will be interesting to see who joins and provides financial backing
    • Its quite SSL focused, there is a lot more to cloud security than SSL :)
    • No reference to openness :)
    • It sounds a lot like the model Mark Curphey wishes OWASP would follow :)
So at the moment this is basically a good Qualy's branding exercise, and will help a bit to improve the WebApp security world, but the key question is if there will be community adoption/participation and if others will join the party.

There is nothing wrong with what Qualys is doing, and the fact that this investment (on Application Security) is happening outside of OWASP shows that OWASP doesn't currently have a model/structure that promotes this type of collaboration. And that is very unfortunate, since in terms of worldwide community and reach there is SO much OWASP could do to help this type of initiative.