Wednesday 31 October 2012

Open question to Etsy security team: How can OWASP help?

Since I don't have a direct contact at Etsy's security team (apart from security-reports@etsy.com), here is the question I would like to ask them (which hopefully will reach the right person).

------------------------------------------------------------------------------------------------

Dear Etsy security team, 

How can OWASP help?

By Owasp, I mean OWASP Community (it's projects, chapters, people, ideas, activities, energy).

From the information posted on your website and presented at conferences, you really take security seriously. 

You have been able to create a productive environment where secure code 'happens', and more importantly, there is a productive and pragmatic relationship between you (the security team), your developers and your management.

So, assuming that you still have a couple things you would like to do better, is there a way (or place, or activity) where OWASP's community can help?

  • Maybe it is in creating better documentation or education materials for your developers/testers?
  • Maybe its an improved schema for AppSensor that would allow your multiple teams to create even better data (or metadata) for your amazing graphs?
  • Maybe it is a an special Summit on an topic that you care about? (see the amazing talent that we were able to gather in our last one)
  • Maybe is better SAST or DAST rules for your tools?
  • Maybe is better technical (and security focused) information on how Frameworks work and its security implications? (which will help with code reviews and code standards)
  • Maybe its a working group on CSP (Content Security Policies) to share best-practices and ideas on how to implement them? (with the key players from the browser vendors participating)
  • Maybe creating a series of events (or even a tour) around OWASP chapters and conferences where you can present your latest ideas and challenges? (the format is up to your imagination and availability) 
  • Maybe its better connectors, parsers or data-transformations for the data you collect using StastD?
  • ....fell free to propose your own (these are just ideas to kickstart the dialogue)
The idea is to start a collaboration with you.

There is a lot that OWASP can learn from what you are doing, and the more we are able to capture it, the more we can help others who also want to protect their customers, business and applications.

Thanks for your time

Dinis Cruz
Owasp Contributor


------------------------------------------------------------------------------------------------

Related Etsy posts: