[Owasp-cincinnati] RSVP For Tomorrow Meeting (Will Smith) and questions Ed broughtup.

Smith, William william.smith at westernsouthernlife.com
Tue Sep 8 13:44:37 EDT 2009

It is pretty typical that people don't respond to massages about poor
attendance. I think it's a psychological thing. Anyway, I was not able
to attend last week because I was out of town in Massachusetts. While I
did find the topic something of interest, I didn't think it cost
effective to fly to Cincinnati for an hour meeting and fly back. 

Special note: summers are notorious for poor attendance. 

So, Ed, to your questions:

1) maybe a mix of evening and afternoon meetings would be better. I know
that lunch is better for me, but may not be for others. The question
would then arise as to if the location would accommodate a 6pm time. Or
if 6pm is good, what with rush hour and all. It's at least worth

As for OWASP meeting topics, some of the ones I have attended have been
useful on the programming level, and some at the security profession
level. Maybe Marco could add a "target audience" to the announcement to
help clarify who the topic is geared for. That might help you prioritize
which meetings you should attend. Just a suggestion.

2) As an auditor, I have to ask the same question you are... How do you
create a process in the SDLC that includes security as a component? One
place that to start is the education of programmers in secure
programming practices. Most security articles and training is focused on
reverse engineering, i.e. try to break the code, fix it, try to break it
again. There are some SANS classes on secure programming but these are
expensive on a tight budget. 

There are a few tidbits to garner about the subject reading the OWASP
Wiki. There are also tools on the Wiki you can use to try and do the
reverse engineering stuff on your web program. Learning how to use them
is a hurtle but, once you do,  it is a process you can insert into your
SDLC. Plan, Code, Test (functions and security) and recode if necessary,
QA, Publish. That is pretty much the (Secure)SDLC model in a nut-shell.
What usually gets missed is security, unless it is a specific security
function you are testing. The idea of secure programming tests is
testing outside the box; what can you do that isn't designed? It
increases the time in test, but your end result is much more secure. If
you have a security team members who are good at using exploitation
tools, you can involve them in the SDLC to cut down on time and/or
decrease the amount of exploits in your final product.

So far, I haven't seen any company do an (S)SDLC effectively with every
project. In project management, you have the triangle of Cost, Resources
and Time. Adding in the security test component usually increases time,
probably increases cost, and definitely requires more skilled resources.
So when Gary McGraw said "kick the developers ass" he really needed to
say "kick the sponsor ass and get the time, money and resources to do it
properly". Yes, many developers are all to often lazy or ignorant of the
risks, but it's the sponsors of the project who really need to
understand that 1) security is needed 2) security is going to cost more
in time, money and resources and 3) if we don't do it right, we will
just have to do it again later and lose the company money, at best, and
reputation ,at worst. 

For some input (if you haven't seen this yet)
http://www.sans.org/top25errors/#s4 list 25 of the most dangerous errors
in programming. It's at least a start. 

Another item is
published last year which has some good information as well. 

I hope this helps.

Will Smith, CISA, Advanced Internal Auditor Western & Southern Financial
Group, Internal Audit
O:  (513) 362-8371   Fax:  (513) 362-8333 

-----Original Message-----
Date: Mon, 7 Sep 2009 16:58:24 -0400
From: Edward Sumerfield <esumerfd at bitbashers.org>
Subject: Re: [Owasp-cincinnati] RSVP For Tomorrow Meeting
To: OWASP Cincinnati <owasp-cincinnati at lists.owasp.org>
	<6a216ba20909071358l5d16e76co4f12af202580ccd9 at mail.gmail.com>
Content-Type: text/plain; charset=windows-1252

Since no one is speaking up about your attendance concerns perhaps I
could offer a perspective.

I am a software developer who is very interested in the prospect of
improving how we integrate security in the products we build. To that
end I am able to monitor this list, try to understand the issues at hand
and the attend meetings when I can.

1)  The meeting time is the biggest problem. Being able to allocate
drive time, meeting time and eating time in the middle of the day is
close to impossible. The meetings I have attended were at times when my
clients were located just around the corner from you but in most cases,
I can expect a 15 to 20 minute drive before and after the meeting.

I attend 3 or 4 other user group meetings a month that meet around the
6pm time frame. For me, planning evenings is easier than lunch times.
Certainly, I understand that this must very greatly for your audience.

2) Meeting content doesn't address, in a practical way, what software
developers need to do to improve. Instead, the focus appears to be on
the security professional and the processes that can be used within an

This may, of coarse, be intentional, and I am just not the target
audience of OWASP. However, what I would like to achieve, by attending,
is to find a way to include security into the SDLC to augment what I do.

This blog entry reflects some of my thinking the subject and why it is
unlikely that I will become better at securing the products I build.


There is a fundamental misunderstanding about how our industry can
address these issues. The best illustration of this came from a talk
Gary McGraw gave at NKU a few years ago. I asked the question, "How can
I, a tech lead on a project, improve the security of the software that
my team produces?". His answer, "kick the developers ass". It got some
laughs but, from my perspective, this appears to reflect the general
attitude that security professionals have towards software developers.

I wish I had a better answer or even a better question. Maybe if I could
make it to a few more meetings everything would become clear :-)

Ed Sumerfield

On Thu, Aug 27, 2009 at 11:10 PM, Marco M.
Morana<marco.m.morana at gmail.com> wrote:
> Folks
> I was hoping for a larger attendance to the last meeting, not sure it 
> was for my late announcement (sorry for that) or for the lack of 
> interest on the subject, maybe both?
> ?We had approximately 10 people that over a list of 80 potential 
> attendees (current list subscribers) does not shine as good
> Anyways, the few that attended seemed to like the presentation and the

> video. For all of you I have put together a summary of the 
> presentation?s main points. If you watch the video and go over the 
> slides I think helps to clarify especially I put some emphasis on 
> countermeasures that was implicit in the presentation.
> For the next time, I would appreciate if you could please let me know 
> if there is anything I can do to encourage participation such as time 
> schedule, location, topics etc
> Regards
> Marco
> From: Marco M. Morana [mailto:marco.m.morana at gmail.com]
> Sent: Monday, August 24, 2009 8:15 AM
> To: 'OWASP Cincinnati'
> Subject: RSVP For Tomorrow Meeting
> Friendly Reminder to RSVP for tomorrow meeting
> Meeting starts at 12 for the Video presentation on Web Services and
Top 10.
> After the presentation I will present a summary with the main points 
> for any Q/A, propose some points for discussion and further references
> More info on http://www.owasp.org/index.php/Cincinnati
> Hope to see you there
> Regards
> Marco Morana
> OWASP Chapter Lead
> p.s. I will provide CDs with the blackhat presentations upon request 
> (please let me know in advance)
> _______________________________________________
> Owasp-cincinnati mailing list
> Owasp-cincinnati at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-cincinnati


Owasp-cincinnati mailing list
Owasp-cincinnati at lists.owasp.org

End of Owasp-cincinnati Digest, Vol 23, Issue 1

More information about the Owasp-cincinnati mailing list