[Owasp-leaders] Developers Vs Security professionals

Gunnar Peterson gunnar at arctecgroup.net
Thu Dec 9 10:08:05 EST 2010

I wrote a Enterprise Security To Do list for 2009, the first and second recommendations relate directly to this

1. Educate yourself on state of the practice in software development
Spend as much time (or more) reading about software and data as reading Bruce Schneier and security. Specifically, security people should pick some good topics in software and data and follow up on them - some good places to start Martin Fowler, Pat Helland, and Kent Beck. if you want to be taken seriously by developers, you need to master this stuff before lecturing developers on how you think the so-called SDLC should work. Plus understanding the software development rabbit holes in your organization will help you craft more successful implementations.

Or as Steve Ballmer says,"Developers.Developers.Developers."

2. Eat lunch with developers 
Take some of your security budget and eat lunch or drinks or coffee with some folks in development. People are the keys to solutions. Security people need to build good relationships with the software developers that need to carry the mail.



More information about the OWASP-Leaders mailing list