Minutes of the Global Industry Committee meeting held by conference call on 5 Jan 2010 at 19:00 GMT.
- Rex Booth
- David Campbell
- Georg Hess
- Yiannis Pavlosoglou
- Colin Watson (Chair)
Apologies were received from Eoin Keary and Dave Wichers (OWASP Board member representative).
Discussions, Actions and Results
Updates on recent activities
RB described the very successful work led by Dan Philpott responding to NIST's SP 800-37 Revision 1 Final Public Draft. DC explained how this document provides the whole high-level framework for FISMA regulations and is therefore very important in the US federal sector. RB suggested that if we have an opportunity to work with NIST again in the future, DP is a good person to reach out to and get involved with the efforts.
YP asked about previous NIST responses and why this one was such a success. DC explained SP 800-37 is much higher profile for ISM of federal agencies—it doesn't get any more important or visible. DP's involvement and personal relationship was key.
CW described how a contact made by Dinis Cruz at IBWAS09, the Iberic Web Application Security conference, led to a conference call with ENISA staff to discuss future collaboration. CW responded to Dinis's message to the GIC mailing list and participated in the call.
Actions and results:
- RB to ask DP whether we he can provide a testimonial from NIST
- RB to ask AppSec Washington's keynote speaker for a testimonial
- CW to work with OWASP Cloud ‐ 10 Project to contribute to the development of Common Assurance Metrics for ENISA's Cloud Computing Information Assurance Framework
- CW to provide YP with details of the contacts at ENISA
- CW to remind Dinis about second potential ENISA collaboration concerning mobile application security
GIC structure and outreach
The committee discussed Tom Brennan's thoughts on structure for our efforts. GH discussed how the approach might have to be flexible to match local cultural and vertical market needs and the degree of OWASP presence. DC highlighted that there are already a number of very influential sector-specific people within OWASP, but we are not leveraging that. YP highlighted that there have been a wide range of local initiatives but there may be opportunities to develop more sector-specific approaches. The GIC felt that we could stretch ourselves too thinly if we try to organise too many levels and fragment our efforts. Where location or sector specific interest groups can be identified and they are willing to give their time, the GIC will help organise and promote these.
GIC has been relatively reactive rather than proactive in our outreach efforts in 2009.
1. Need to develop our approach and strategy together with outreach materials suitable for non-IT and non-security audience identifying the benefits OWASP offers.
2. Identify influential people we already know either within OWASP or in our own contacts, who we can approach in important sectors to trial the approach with.
3. Learn from the experience to develop our resources and approach.
The GIC welcomed EK's ideas of a more formal, less grass roots, more professional, industry-specific event, perhaps aimed at (non IT) C-level in one sector vertical. The opportunity to spread the word would be good if we can have the right type of materials for the potential audience and if the target group can be convinced to attend. The right approach, strategy and materials would be needed. If OWASP doesn't have enough traction, and there is low attendance, this would undermine the success and OWASP's reputation - could participation at some other organisation's event/conference be a better way to achieve adequate attendance? Sectors might be energy, financial (banking/insurance), government, health or PCI. Are there influential people in these sectors already involved in OWASP who we can use to help develop a plan?
Actions and results:
- [all] Discuss with EK his ideas further
- [unallocated] Identify significant organisations (e.g. PCI DSS) and who OWASP's key contact points in those organisations are, and who in OWASP is nurturing the relationship
- YP to create a short slide deck providing an overview of OWASP (with input from Education and Membership committees)
- Each GIC member to identify a sector to target in their own location. Possibly:
RB: Government (NIST) DC: Electronic commerce (Secure POS Vendor Alliance) GH: Financial (major German bank) YP: Education/professional CW: Government (FSA)
GH raised the subject of creating position statement (e.g. on recent court case) and Jeff's comments on the OWASP Leaders list. The view was that any committee could write a statement, but if framed in this way it would need approval from the board. Note: Dinis Cruz had mentioned position statements in Poland this year.
CW thanked Grant Thornton for providing the conference call facilities.
DC will publish the MP3 recording of the conference call on the GIC wiki page.