[Owasp-leaders] Are Security folks too stiff

Dave Wichers dave.wichers at owasp.org
Tue Mar 3 10:08:08 EST 2009


Some of us are J

 

See my talk on Security in Agile Development at:
http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference

 

The slides are here:
http://www.owasp.org/images/a/a3/AppSecNYC08-Agile_and_Secure.ppt 

 

It's my position that 'we' (the application security community) are not
enabling developers to succeed. We can't simply tell them to write secure
code, and teach them to write secure code, but we have to enable them to
write secure code. That means at least 2 things, 1) we need to adapt our
assurance methodologies so we can build secure code and gain assurance using
the development methodology that works for the developers (we can't force
them to write code the way WE want them to do it), and 2) we need to give
them the capability to write secure applications within the constraints they
live in, which is develop fast, iterate quickly, use the latest cool
technologies, etc. 

 

To enable them, we need to provide them with secure components that are
powerful and easy to use, and hard to use incorrectly. Which is the entire
goal of the OWASP ESAPI project (http://www.owasp.org/index.php/ESAPI). We
also need to make the languages, browsers, frameworks etc. that developers
use or have to interact with more secure by default, which is the goal of
the OWASP ISWG project (http://www.owasp.org/index.php/ISWG).

 

ESAPI can have REAL IMPACT TODAY, because it is something developers can
grab and use now. ISWG has more long term goals that are worth striving for,
but they will take longer to have real impact. We are starting to have some
impact already with more browser support for HTTP_ONLY across browsers, and
some changes to upcoming releases of Java EE. Hopefully we will start having
more impact on more languages, browsers, frameworks, to make them more
secure by default.

 

This is clearly a hard problem, but 'we' the application security community
need to figure out how to enable developers to succeed. We can't simply
demand that they do it. Particularly 'our way', whatever way that might be. 

 

 -Dave

 

From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of McGovern, James
F (HTSC, IT)
Sent: Monday, March 02, 2009 4:03 PM
To: owasp-leaders at lists.owasp.org
Subject: [Owasp-leaders] Are Security folks too stiff

 

A peer of mines sent me this link:
<http://www.infoworld.com/article/09/02/26/How_to_achieve_more_Agile_applica
tion_securit_1.html?source=NLC-SEC&cgd=2009-03-02>
http://www.infoworld.com/article/09/02/26/How_to_achieve_more_Agile_applicat
ion_securit_1.html?source=NLC-SEC&cgd=2009-03-02

But also asked me a question of why aren't security types embracing agile
methods and lighter-weight methodologies? Any thoughts on CLASP guidance
when compared/contrasted against the Agile Manifesto?

************************************************************
This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
information.  If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited.  If you
are not the intended recipient, please notify the sender immediately by
return e-mail, delete this communication and destroy all copies.
************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090303/61b2d932/attachment.html 


More information about the OWASP-Leaders mailing list