Software Integrity


An OWASP interaction model

Out at AppSecUSA, the OWASP board met and decided that it was valuable to support a partnership model with private industry. The aim: figure out a way to allow private (or federal) organizations to shape existing OWASP assets to better meet their needs. Better meeting an organization’s needs will likely involve:

  1. Integration with standard-fare open source and commercial middleware commonly used to deploy organizations’ web-apps (e.g. CA SiteMinder, MQ-Series, Documentum, etc.)
  2. Greater predictability (and later maturity) in asset delivery road maps and schedule
  3. Complete and user-centric documentation regarding adoption, implementation, and configuration
  4. Progress against existing asset gaps deemed barriers to adoption by an organization

Jeff Williams and I collaborated on a Straw Man Partnership Model that describes ways for organizations to interact with OWASP.

As describe above here, the “buyer” (an organizational stakeholder) drives interaction. For this, I posit a buyer-driven work flow (see figure below)

(Buyer-driven workflow available: here )

Summarizing, the buyer coordinates with the OWASP project owner, determines things like: level of effort (LoE), division of responsibilities, and what will ultimately be shared. The producer then works with OWASP project team resources to hit scheduling and roadmap sign-posts.

If you’re interested in helping your organization with benefiting from open source projects, perhaps I can help there. If you’re interested in helping mature the projects themselves, I can definitely help–especially with OWASP ESAPI or cheat sheets. I’m also very interested in feedback on the whole partnership model. Please send mail.