Friday 4 December 2015

JIRA Workflows for handing AppSec RISKS

Recently I have been acting as 'head of Application Security' for a couple UK companies, and one of my most effective actions has been to setup the JIRA workflow that you can see below.

The key to this workflow (and the secret of its success) is the action to get the business owners to click on the 'Accept Risk' button. 

That simple action makes the whole difference, since that is the moment that a particular RISK become REAL.

Now, the responsibility/decision/liability of NOT fixing an issue, is clearly mapped to an individual (which in some cases can even be the CTO).

Note that the definition of 'not fixing' should be 'will not be fixed in the next couple weeks'

Paying OWASP Leaders and some ideas on how OWASP should be supporting its projects

(based on an email to the owasp-leaders list)

The reasons why I believe OWASP  should not be allowed to pay owasp leaders are listed here

And since I have not been on the OWASP board for about 5 years, I think we need to realise that IF it was possible to pay owasp leaders to work on OWASP projects, THAT (paying owasp leaders) would have happened by now (after all, there has been enough budget to make that happen)

The problem is that there is still this 'idea' that "IF ONLY we could do that (pay owasp leaders) amazing stuff would happen". 

Request for OWASP board to approve 100K for a project Summit in 2016

(sent to the OWASP leaders list in early Dec 2015, following the original request made in June 2015)

Bumping this thread, since I believe not much has happened since.

I would like to request again for "OWASP board to approve 100K for a project Summit in 2016. And then ask for a team or OWASP leaders to lead that effort"

Proposed new strategy for OWASP projects - They are Research Projects

(variation of an email send to the owasp leaders list)

I think a key problem is the expectation that OWASP should ever be able to develop professional, best in class and 'secure' apps.

These conversations always tend to have a base on the idea that OWASP 'should not have a lot of projects' and 'only focus on a couple high-value/high-quality ones'. This never gains traction because that goes completely the model and culture of OWASP projects.

The reality is that really good a solid projects at OWASP are the exception and the outliers.