[Owasp-cincinnati] RSVP For Tomorrow Meeting

Edward Sumerfield esumerfd at bitbashers.org
Mon Sep 7 16:58:24 EDT 2009

Since no one is speaking up about your attendance concerns perhaps I
could offer a perspective.

I am a software developer who is very interested in the prospect of
improving how we integrate security in the products we build. To that
end I am able to monitor this list, try to understand the issues at
hand and the attend meetings when I can.

1)  The meeting time is the biggest problem. Being able to allocate
drive time, meeting time and eating time in the middle of the day is
close to impossible. The meetings I have attended were at times when
my clients were located just around the corner from you but in most
cases, I can expect a 15 to 20 minute drive before and after the

I attend 3 or 4 other user group meetings a month that meet around the
6pm time frame. For me, planning evenings is easier than lunch times.
Certainly, I understand that this must very greatly for your audience.

2) Meeting content doesn't address, in a practical way, what software
developers need to do to improve. Instead, the focus appears to be on
the security professional and the processes that can be used within an

This may, of coarse, be intentional, and I am just not the target
audience of OWASP. However, what I would like to achieve, by
attending, is to find a way to include security into the SDLC to
augment what I do.

This blog entry reflects some of my thinking the subject and why it is
unlikely that I will become better at securing the products I build.


There is a fundamental misunderstanding about how our industry can
address these issues. The best illustration of this came from a talk
Gary McGraw gave at NKU a few years ago. I asked the question, "How
can I, a tech lead on a project, improve the security of the software
that my team produces?". His answer, "kick the developers ass". It got
some laughs but, from my perspective, this appears to reflect the
general attitude that security professionals have towards software

I wish I had a better answer or even a better question. Maybe if I
could make it to a few more meetings everything would become clear :-)

Ed Sumerfield

On Thu, Aug 27, 2009 at 11:10 PM, Marco M.
Morana<marco.m.morana at gmail.com> wrote:
> Folks
> I was hoping for a larger attendance to the last meeting, not sure it was
> for my late announcement (sorry for that) or for the lack of interest on the
> subject, maybe both?
>  We had approximately 10 people that over a list of 80 potential attendees
> (current list subscribers) does not shine as good participation.
> Anyways, the few that attended seemed to like the presentation and the
> video. For all of you I have put together a summary of the presentation’s
> main points. If you watch the video and go over the slides I think helps to
> clarify especially I put some emphasis on countermeasures that was implicit
> in the presentation.
> For the next time, I would appreciate if you could please let me know if
> there is anything I can do to encourage participation such as time schedule,
> location, topics etc
> Regards
> Marco
> From: Marco M. Morana [mailto:marco.m.morana at gmail.com]
> Sent: Monday, August 24, 2009 8:15 AM
> To: 'OWASP Cincinnati'
> Subject: RSVP For Tomorrow Meeting
> Friendly Reminder to RSVP for tomorrow meeting
> Meeting starts at 12 for the Video presentation on Web Services and Top 10.
> After the presentation I will present a summary with the main points for any
> Q/A, propose some points for discussion and further references
> More info on http://www.owasp.org/index.php/Cincinnati
> Hope to see you there
> Regards
> Marco Morana
> OWASP Chapter Lead
> p.s. I will provide CDs with the blackhat presentations upon request (please
> let me know in advance)
> _______________________________________________
> Owasp-cincinnati mailing list
> Owasp-cincinnati at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-cincinnati

More information about the Owasp-cincinnati mailing list