[Owasp-leaders] Developers Vs Security professionals

Stephen de Vries stephen at twisteddelight.org
Thu Dec 9 05:43:21 EST 2010


Hi Simon,

Yes, that's a spot on observation and isn't limited to OWASP, it's quite endemic in the whole application security sector.  You can even see the effects of it in the solutions that are currently available; for example, Web App Firewalls and App Vulnerability Scanners were paradigms that existed in the security world and were then twisted and mangled in order to fit web applications.  I doubt whether those solutions would exist if the problem had been tackled from a developer's point of view.  

Developers would more than likely have come with something like ESAPI.  I'm quite optimistic that developers _are_ getting the message;  If you read the manuals for any of the popular web frameworks, like RoR, JBoss Seam, Spring, Django etc, they often include notes about preventing XSS and SQL injection, even XSRF in some cases.  Personally, that's where I see a lot of potential growth for improving security, where framework developers take the concepts of ESAPI, and bits of it, and include it into the standard build of their frameworks.

regards,
Stephen


On Dec 9, 2010, at 11:06 AM, psiinon wrote:

> Hi folks,
> 
> I'll freely admit that I'm relatively new to the world of OWASP, but I
> get the distinct impression that theres a significant involvement from
> security professions and much less involvement from people from the
> software development side.
> I gave a talk last night at the OWASP Leeds / Northern UK meeting last
> night in Manchester, and to test this theory I asked which of these 2
> areas people worked in.
> Only one person (out of ~25) worked in software development, and they
> were an ex colleague of mine who came to see what I was up to!
> Do you think this is common?
> And if it is, should we be worried about it?
> I'm sure we will all agree that if we cant get developers interested
> in security then we'll just be firefighting all of the time.
> 
> Cheers,
> 
> Simon
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders



More information about the OWASP-Leaders mailing list