[Owasp-cincinnati] RSVP For Tomorrow Meeting

Marco M. Morana marco.m.morana at gmail.com
Tue Sep 8 20:22:36 EDT 2009

Hi Ed

Thanks for your input, I appreciate any positive or negative and I think
yours is mostly positive. Let me reply point to point briefly:
1) I will move the next meeting to the evening 6 PM to accommodate other
attendees schedule as well
2) Content of the meetings. I am sorry did not address what you are looking
for, this year topics have been democratically selected from the survey I
did back at the beginning of the calendar
I hope I can fit some of the topics of your interest in next year calendar
3) regarding Gary's colorful take on developers..I do not think Gary
seriously think that as he does not think I hope that all Italian are
communists.. it might said that as provocation for a discussion. If you look
at the BSIMM (http://www.bsi-mm.com/) that Gary created certainly has
developers need consideration on what it takes to get software security,
least not last training software developers and provide them tools and

Regarding the "industry" misunderstanding on how to build security in and
what it takes, I think the mission of OWASP is exactly to make sure it is
understood what it takes in terms of process, people and tools. Nevertheless
you might argue that we are making or not making progress. 

I invite you to take this as topic for conversation to one of the next
forums if you are interested

Hope this help, thanks


-----Original Message-----
From: owasp-cincinnati-bounces at lists.owasp.org
[mailto:owasp-cincinnati-bounces at lists.owasp.org] On Behalf Of Edward
Sent: Monday, September 07, 2009 4:58 PM
To: OWASP Cincinnati
Subject: Re: [Owasp-cincinnati] RSVP For Tomorrow Meeting

Since no one is speaking up about your attendance concerns perhaps I
could offer a perspective.

I am a software developer who is very interested in the prospect of
improving how we integrate security in the products we build. To that
end I am able to monitor this list, try to understand the issues at
hand and the attend meetings when I can.

1)  The meeting time is the biggest problem. Being able to allocate
drive time, meeting time and eating time in the middle of the day is
close to impossible. The meetings I have attended were at times when
my clients were located just around the corner from you but in most
cases, I can expect a 15 to 20 minute drive before and after the

I attend 3 or 4 other user group meetings a month that meet around the
6pm time frame. For me, planning evenings is easier than lunch times.
Certainly, I understand that this must very greatly for your audience.

2) Meeting content doesn't address, in a practical way, what software
developers need to do to improve. Instead, the focus appears to be on
the security professional and the processes that can be used within an

This may, of coarse, be intentional, and I am just not the target
audience of OWASP. However, what I would like to achieve, by
attending, is to find a way to include security into the SDLC to
augment what I do.

This blog entry reflects some of my thinking the subject and why it is
unlikely that I will become better at securing the products I build.


There is a fundamental misunderstanding about how our industry can
address these issues. The best illustration of this came from a talk
Gary McGraw gave at NKU a few years ago. I asked the question, "How
can I, a tech lead on a project, improve the security of the software
that my team produces?". His answer, "kick the developers ass". It got
some laughs but, from my perspective, this appears to reflect the
general attitude that security professionals have towards software

I wish I had a better answer or even a better question. Maybe if I
could make it to a few more meetings everything would become clear :-)

Ed Sumerfield

On Thu, Aug 27, 2009 at 11:10 PM, Marco M.
Morana<marco.m.morana at gmail.com> wrote:
> Folks
> I was hoping for a larger attendance to the last meeting, not sure it was
> for my late announcement (sorry for that) or for the lack of interest on
> subject, maybe both?
>  We had approximately 10 people that over a list of 80 potential attendees
> (current list subscribers) does not shine as good participation.
> Anyways, the few that attended seemed to like the presentation and the
> video. For all of you I have put together a summary of the presentation’s
> main points. If you watch the video and go over the slides I think helps
> clarify especially I put some emphasis on countermeasures that was
> in the presentation.
> For the next time, I would appreciate if you could please let me know if
> there is anything I can do to encourage participation such as time
> location, topics etc
> Regards
> Marco
> From: Marco M. Morana [mailto:marco.m.morana at gmail.com]
> Sent: Monday, August 24, 2009 8:15 AM
> To: 'OWASP Cincinnati'
> Subject: RSVP For Tomorrow Meeting
> Friendly Reminder to RSVP for tomorrow meeting
> Meeting starts at 12 for the Video presentation on Web Services and Top
> After the presentation I will present a summary with the main points for
> Q/A, propose some points for discussion and further references
> More info on http://www.owasp.org/index.php/Cincinnati
> Hope to see you there
> Regards
> Marco Morana
> OWASP Chapter Lead
> p.s. I will provide CDs with the blackhat presentations upon request
> let me know in advance)
> _______________________________________________
> Owasp-cincinnati mailing list
> Owasp-cincinnati at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-cincinnati
Owasp-cincinnati mailing list
Owasp-cincinnati at lists.owasp.org

More information about the Owasp-cincinnati mailing list