[Owasp-leaders] Developers Vs Security professionals
john.wilander at owasp.org
Thu Dec 9 10:19:32 EST 2010
My firm belief:
Being in the middle of application security means 70 % software and 30 %
security. Software development and engineering is simply a much larger
discipline and knowing where security fits in requires hands-on knowledge on
how software is made ... today. You can stay away from code and be
tremendously successful in *IT* and *information* security, but you have to
spend lots and lots of time with software development to be successful in *
You don't have to believe in it at all :).
2010/12/9 Gunnar Peterson <gunnar at arctecgroup.net>
> I wrote a Enterprise Security To Do list for 2009, the first and second
> recommendations relate directly to this
> 1. Educate yourself on state of the practice in software development
> Spend as much time (or more) reading about software and data as reading
> Bruce Schneier and security. Specifically, security people should pick some
> good topics in software and data and follow up on them - some good places to
> start Martin Fowler, Pat Helland, and Kent Beck. if you want to be taken
> seriously by developers, you need to master this stuff before lecturing
> developers on how you think the so-called SDLC should work. Plus
> understanding the software development rabbit holes in your organization
> will help you craft more successful implementations.
> Or as Steve Ballmer says,"Developers.Developers.Developers."
> 2. Eat lunch with developers
> Take some of your security budget and eat lunch or drinks or coffee with
> some folks in development. People are the keys to solutions. Security people
> need to build good relationships with the software developers that need to
> carry the mail.
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
John Wilander, https://twitter.com/johnwilander
Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
<http://owaspsweden.blogspot.com>Co-organizer Global Summit,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders