[Owasp-leaders] Are Security folks too stiff

Dave Wichers dave.wichers at owasp.org
Tue Mar 3 10:08:08 EST 2009

Some of us are J


See my talk on Security in Agile Development at:


The slides are here:


It's my position that 'we' (the application security community) are not
enabling developers to succeed. We can't simply tell them to write secure
code, and teach them to write secure code, but we have to enable them to
write secure code. That means at least 2 things, 1) we need to adapt our
assurance methodologies so we can build secure code and gain assurance using
the development methodology that works for the developers (we can't force
them to write code the way WE want them to do it), and 2) we need to give
them the capability to write secure applications within the constraints they
live in, which is develop fast, iterate quickly, use the latest cool
technologies, etc. 


To enable them, we need to provide them with secure components that are
powerful and easy to use, and hard to use incorrectly. Which is the entire
goal of the OWASP ESAPI project (http://www.owasp.org/index.php/ESAPI). We
also need to make the languages, browsers, frameworks etc. that developers
use or have to interact with more secure by default, which is the goal of
the OWASP ISWG project (http://www.owasp.org/index.php/ISWG).


ESAPI can have REAL IMPACT TODAY, because it is something developers can
grab and use now. ISWG has more long term goals that are worth striving for,
but they will take longer to have real impact. We are starting to have some
impact already with more browser support for HTTP_ONLY across browsers, and
some changes to upcoming releases of Java EE. Hopefully we will start having
more impact on more languages, browsers, frameworks, to make them more
secure by default.


This is clearly a hard problem, but 'we' the application security community
need to figure out how to enable developers to succeed. We can't simply
demand that they do it. Particularly 'our way', whatever way that might be. 




From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of McGovern, James
Sent: Monday, March 02, 2009 4:03 PM
To: owasp-leaders at lists.owasp.org
Subject: [Owasp-leaders] Are Security folks too stiff


A peer of mines sent me this link:

But also asked me a question of why aren't security types embracing agile
methods and lighter-weight methodologies? Any thoughts on CLASP guidance
when compared/contrasted against the Agile Manifesto?

This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
information.  If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited.  If you
are not the intended recipient, please notify the sender immediately by
return e-mail, delete this communication and destroy all copies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090303/61b2d932/attachment.html 

More information about the OWASP-Leaders mailing list