The OWASP Security Ecosystem Project
Authored By Jeff Williams
The time has come for us to do even more to lead technology companies towards getting their software secure! One key component of achieving secure software is to have a thriving community ecosystem focused on the security of the technology. A few organizations are starting to build these, like Microsoft’s BlueHat community and perhaps a few others. But there’s a huge opportunity for us to do better and OWASP is uniquely positioned to lead this important effort.
The OWASP Security Ecosystem Project
OWASP has recently been approached by several large SaaS vendors to help them work improve their security. We’ll be announcing these vendors and launching their ecosystems as soon as we get permission. Now is the time for us to organize our “Security Ecosytem Project” so that we are ready to help get these programs off the ground quickly and successfully.
So what is a “security ecosystem”?
Nobody (and no company) can build secure software by themselves. We have seen that vulnerability research can help to drive security forward in companies, but it’s a painful process. We envision a partnership between technology platform vendors and a thriving ecosystem focused on the security of their technology. The ecosystem will include researchers (both builders and breakers), tools, libraries, guidelines, awareness materials, standards, education, conferences, forums, feeds, announcements, and probably more.
Why collaborate with vendors?
It might be possible for OWASP to try to start an ecosystem without the vendor’s involvement. In fact the OWASP Java and .NET project partially fit that description. But these efforts may seem like a threat to technology vendors. Vendors might start their own ecosystem, but it is much more likely to succeed with an independent partner like OWASP. The OWASP Ecosystem Project is intended to help create a collaborative open effort focused on improving the security of the technology by focusing on visibility, understanding, and informed decisions about risk. OWASP’s independence and positive approach makes us the perfect environment for these ecosystems to grow.
How do we get started?
The first step is to create a framework for a healthy security ecosystem! Then we can choose a few key technologies and vendors that want to work with us to start. We need to pull together the materials we have and other materials out on the net into a OWASP Security Ecosystem Portal. To grow the ecosystem, we’ll solicit research, tools, and other materials and work with both end-users and the vendor to focus on eliminating the key risks associated with the technology.
The future!
This could mark the dawning of a new collaborative era of application security, where companies actively engage with security researchers in order to make their products better. Everyone benefits by creating an ecosystem focused on fostering transparency. The time has come for security experts and software developers to collaborate. The stakes are way too high to waste time and effort on obscurity and infighting.
If you’re interested in helping get this program off the ground, we’re collaborating on defining the security ecosystem on the OWASP wiki at http://www.owasp.org/index.php/Security Ecosystem Project. We're looking for energetic technical leaders who would like to build a thriving security ecosystem around a technology. If you have at least 10 hours a week to dedicate to this important effort, and you think you're the right person, contact us at owasp@owasp.org.