[Owasp-leaders] Developers Vs Security professionals

Paolo Perego thesp0nge at gmail.com
Thu Dec 9 05:46:23 EST 2010


On 9 December 2010 11:06, psiinon <psiinon at gmail.com> wrote:
> Hi folks,
>
> I'll freely admit that I'm relatively new to the world of OWASP, but I
Hi Simon, great to have you on board :-)

> get the distinct impression that theres a significant involvement from
> security professions and much less involvement from people from the
> software development side.
[snip]
You hit the point. From my own perspective I see a lot of infosec guys
in security events buy very fews developers.
I guess a possible reason is that developers are not trained to see
security as part of their concern, that as John said, this doesn't
mean they are lazy, they are simply focused on other.

True to be told, I'm not a "security consultant" anymore but I'm a
developer guy now. So I see the problem from the "other side".
The major issues that in my opinion stop a dev from attending an Owasp
event are:
a) "this is not my concern, I wrote software I don't care about pentest"
b) "Hey I'm really interested in writing more secure code but I don't
understand anything about XSS, SQL Injection and friend, so I won't
understand anything just throwing away money"
c) "I don't know anyone of people presenting? Who are they? Do they write code?"

So, I agreed pushing towards hackathons and make some marketing of our
tools to explain that security guys can code too.

I noticed that being a sec guy is an huge step when looking for people
in FOSS community (e.g. for Owasp Orizon project or Esapi for Ruby)

Just my €0,02

Paolo
-- 
"... static analysis is fun, again!"

OWASP Orizon project leader, http://github.com/owasp-orizon
OWASP Esapi Ruby project leader, https://github.com/thesp0nge/owasp-esapi-ruby


More information about the OWASP-Leaders mailing list