[Owasp-leaders] Developers Vs Security professionals

John Wilander john.wilander at owasp.org
Thu Dec 9 05:20:26 EST 2010


Hi Simon and the others!

Yes, I recognize the tilted balance between security people and developers
in OWASP. Swedish chapter meetings have the same "problem". OWASP AppSec
conferences too.

My first interview question to our chair Jeff Williams was "Will OWASP ever
reach out to developers?". Read his answer(s) here:
http://owaspsweden.blogspot.com/2010/07/interview-with-jeff-williams.html

Then I reported on a potential bridge in cooperating with the FOSS community
and arranging so called hackathons. Check the leaders list archive here:
https://lists.owasp.org/pipermail/owasp-leaders/2010-September/003573.html

I've also tried to boil down how I try to close the gap and make a
difference in my personal AppSec Manifesto (
http://appsandsecurity.blogspot.com/2010/11/appsec-manifesto.html):

*John's AppSec Manifesto*

   - Developers are not lazy, rather quality oriented => Insecure
   applications do not stem from laziness.
   - Features and functions are always more important than
   security => Security should enable more features and functions.
   - Responsible disclosure is a good way of achieving more secure
   applications => Hackers are needed.
   - Technology is a crucial part of security => Therefore I keep coding.


   Regards, John


2010/12/9 psiinon <psiinon at gmail.com>

> Hi folks,
>
> I'll freely admit that I'm relatively new to the world of OWASP, but I
> get the distinct impression that theres a significant involvement from
> security professions and much less involvement from people from the
> software development side.
> I gave a talk last night at the OWASP Leeds / Northern UK meeting last
> night in Manchester, and to test this theory I asked which of these 2
> areas people worked in.
> Only one person (out of ~25) worked in software development, and they
> were an ex colleague of mine who came to see what I was up to!
> Do you think this is common?
> And if it is, should we be worried about it?
> I'm sure we will all agree that if we cant get developers interested
> in security then we'll just be firefighting all of the time.
>
> Cheers,
>
> Simon
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>



-- 
John Wilander, https://twitter.com/johnwilander
Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
 <http://owaspsweden.blogspot.com>Co-organizer Global Summit,
http://www.owasp.org/index.php/Summit_2011
<http://www.owasp.org/index.php/Summit_2011>Conf Comm,
http://www.owasp.org/index.php/Global_Conferences_Committee
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101209/5e67cb06/attachment.html 


More information about the OWASP-Leaders mailing list