Justice League Blog
An OWASP Interaction Model
Out at AppSecUSA, the OWASP board met and decided that it was valuable to support a partnership model with private industry. The aim: figure out a way to allow private (or federal) organizations to shape existing OWASP assets to better meet their needs. Better meeting an organization’s needs will likely involve:
- Integration with standard-fare open source and commercial middleware commonly used to deploy organizations’ web-apps (e.g. CA SiteMinder, MQ-Series, Documentum, etc.)
- Greater predictability (and later maturity) in asset delivery road maps and schedule
- Complete and user-centric documentation regarding adoption, implementation, and configuration
- Progress against existing asset gaps deemed barriers to adoption by an organization
Jeff Williams and I collaborated on a Straw Man Partnership Model that describes ways for organizations to interact with OWASP.
As describe above here, the “buyer” (an organizational stakeholder) drives interaction. For this, I posit a buyer-driven work flow (see figure below)
(Buyer-driven workflow available: here )
Summarizing, the buyer coordinates with the OWASP project owner (either directly, or through a partner such as Cigital), determines things like: level of effort (LoE), division of responsibilities, and what will ultimately be shared. The producer then works with OWASP project team resources to hit scheduling and roadmap sign-posts.
If you’re interested in helping your organization with benefiting from open source projects, perhaps I can help there. If you’re interested in helping mature the projects themselves, I can definitely help–especially with OWASP ESAPI or cheat sheets. I’m also very interested in feedback on the whole partnership model. Please send mail.
