[Owasp-cincinnati] RSVP For Tomorrow Meeting

Marco M. Morana marco.m.morana at gmail.com
Wed Sep 9 19:53:41 EDT 2009


Edward

Than for the techlife link, I already subscribed to it. I agree with you
that we need to reach out on the software developer community here in
Cincinnati and I appreciate your help.

Regards

Marco

p.s. our OWASP chapter has a board but I would like to get people with truly
interest on OWASP to be part of it so if you of any of the list would like
to be part your are quite welcome. Ideally we meet once a month at Panera in
Blue Ash.

-----Original Message-----
From: owasp-cincinnati-bounces at lists.owasp.org
[mailto:owasp-cincinnati-bounces at lists.owasp.org] On Behalf Of Edward
Sumerfield
Sent: Wednesday, September 09, 2009 9:10 AM
To: OWASP Cincinnati
Subject: Re: [Owasp-cincinnati] RSVP For Tomorrow Meeting

A couple more thoughts.

1)  When teaching subjects targeted at software developers what about
doing it as an outreach to each user group in town. If you go to the
CinJUG or CinNUG groups you are guaranteed a 30+ attendance. Then
there are PHP, Ruby, Python, SQL and on and on. Every technology has
it's enthusiasts and none of them come to OWASP meetings.

This approach would allow developers to see the practical side of the
problem. The Top 25 is an awesome resource but how does it impact them
in their daily life. How do I write my code to satisfy the boss and
the security ideal that they usually don't care about.

You could look at it as an annual OWASP outreach program. You built
it, they didn't come, so we better go to them :-)

2) From an advertising perspective, there is a new resource in town
called tech-life. We had a big meeting of all the user groups in town
and agreed to share our schedules in a common location so that it's
easier to everyone to get a central picture of what is going on.
Perhaps OWASP could adds it's info there as well.

    http://www.meetup.com/TechLife-Cincinnati/


On Tue, Sep 8, 2009 at 8:22 PM, Marco M. Morana<marco.m.morana at gmail.com>
wrote:
> Hi Ed
>
> Thanks for your input, I appreciate any positive or negative and I think
> yours is mostly positive. Let me reply point to point briefly:
> 1) I will move the next meeting to the evening 6 PM to accommodate other
> attendees schedule as well
> 2) Content of the meetings. I am sorry did not address what you are
looking
> for, this year topics have been democratically selected from the survey I
> did back at the beginning of the calendar
>
http://www.owasp.org/index.php/Cincinnati#OWASP_Chapter_Meeting_Topics_Selec
> tion_For_2009_.28Mailing_List_Poll.29
> I hope I can fit some of the topics of your interest in next year calendar
> 3) regarding Gary's colorful take on developers..I do not think Gary
> seriously think that as he does not think I hope that all Italian are
> communists.. it might said that as provocation for a discussion. If you
look
> at the BSIMM (http://www.bsi-mm.com/) that Gary created certainly has
> developers need consideration on what it takes to get software security,
> least not last training software developers and provide them tools and
> processes.
>
> Regarding the "industry" misunderstanding on how to build security in and
> what it takes, I think the mission of OWASP is exactly to make sure it is
> understood what it takes in terms of process, people and tools.
Nevertheless
> you might argue that we are making or not making progress.
>
> I invite you to take this as topic for conversation to one of the next
> forums if you are interested
>
> Hope this help, thanks
>
> Marco
>
>
> -----Original Message-----
> From: owasp-cincinnati-bounces at lists.owasp.org
> [mailto:owasp-cincinnati-bounces at lists.owasp.org] On Behalf Of Edward
> Sumerfield
> Sent: Monday, September 07, 2009 4:58 PM
> To: OWASP Cincinnati
> Subject: Re: [Owasp-cincinnati] RSVP For Tomorrow Meeting
>
> Since no one is speaking up about your attendance concerns perhaps I
> could offer a perspective.
>
> I am a software developer who is very interested in the prospect of
> improving how we integrate security in the products we build. To that
> end I am able to monitor this list, try to understand the issues at
> hand and the attend meetings when I can.
>
> 1)  The meeting time is the biggest problem. Being able to allocate
> drive time, meeting time and eating time in the middle of the day is
> close to impossible. The meetings I have attended were at times when
> my clients were located just around the corner from you but in most
> cases, I can expect a 15 to 20 minute drive before and after the
> meeting.
>
> I attend 3 or 4 other user group meetings a month that meet around the
> 6pm time frame. For me, planning evenings is easier than lunch times.
> Certainly, I understand that this must very greatly for your audience.
>
> 2) Meeting content doesn't address, in a practical way, what software
> developers need to do to improve. Instead, the focus appears to be on
> the security professional and the processes that can be used within an
> organization.
>
> This may, of coarse, be intentional, and I am just not the target
> audience of OWASP. However, what I would like to achieve, by
> attending, is to find a way to include security into the SDLC to
> augment what I do.
>
> This blog entry reflects some of my thinking the subject and why it is
> unlikely that I will become better at securing the products I build.
>
>
>
http://esumerfield.blogspot.com/2009/06/security-and-quality-through-testing
> -or.html
>
> There is a fundamental misunderstanding about how our industry can
> address these issues. The best illustration of this came from a talk
> Gary McGraw gave at NKU a few years ago. I asked the question, "How
> can I, a tech lead on a project, improve the security of the software
> that my team produces?". His answer, "kick the developers ass". It got
> some laughs but, from my perspective, this appears to reflect the
> general attitude that security professionals have towards software
> developers.
>
> I wish I had a better answer or even a better question. Maybe if I
> could make it to a few more meetings everything would become clear :-)
>
> Ed Sumerfield
> http://www.edsumerfieldconsulting.com
>
>
> On Thu, Aug 27, 2009 at 11:10 PM, Marco M.
> Morana<marco.m.morana at gmail.com> wrote:
>> Folks
>>
>> I was hoping for a larger attendance to the last meeting, not sure it was
>> for my late announcement (sorry for that) or for the lack of interest on
> the
>> subject, maybe both?
>>
>>  We had approximately 10 people that over a list of 80 potential
attendees
>> (current list subscribers) does not shine as good participation.
>>
>> Anyways, the few that attended seemed to like the presentation and the
>> video. For all of you I have put together a summary of the presentation’s
>> main points. If you watch the video and go over the slides I think helps
> to
>> clarify especially I put some emphasis on countermeasures that was
> implicit
>> in the presentation.
>>
>> For the next time, I would appreciate if you could please let me know if
>> there is anything I can do to encourage participation such as time
> schedule,
>> location, topics etc
>>
>> Regards
>>
>> Marco
>>
>> From: Marco M. Morana [mailto:marco.m.morana at gmail.com]
>> Sent: Monday, August 24, 2009 8:15 AM
>> To: 'OWASP Cincinnati'
>> Subject: RSVP For Tomorrow Meeting
>>
>> Friendly Reminder to RSVP for tomorrow meeting
>>
>> Meeting starts at 12 for the Video presentation on Web Services and Top
> 10.
>>
>> After the presentation I will present a summary with the main points for
> any
>> Q/A, propose some points for discussion and further references
>>
>> More info on http://www.owasp.org/index.php/Cincinnati
>>
>> Hope to see you there
>>
>> Regards
>>
>> Marco Morana
>> OWASP Chapter Lead
>>
>> p.s. I will provide CDs with the blackhat presentations upon request
> (please
>> let me know in advance)
>>
>> _______________________________________________
>> Owasp-cincinnati mailing list
>> Owasp-cincinnati at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-cincinnati
>>
>>
> _______________________________________________
> Owasp-cincinnati mailing list
> Owasp-cincinnati at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-cincinnati
>
>
_______________________________________________
Owasp-cincinnati mailing list
Owasp-cincinnati at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-cincinnati



More information about the Owasp-cincinnati mailing list