[Owasp-leaders] Developers Vs Security professionals

John Wilander john.wilander at owasp.org
Thu Dec 9 10:19:32 EST 2010

Word, Gunnar!

My firm belief:
Being in the middle of application security means 70 % software and 30 %
security. Software development and engineering is simply a much larger
discipline and knowing where security fits in requires hands-on knowledge on
how software is made ... today. You can stay away from code and be
tremendously successful in *IT* and *information* security, but you have to
spend lots and lots of time with software development to be successful in *
application* security.

You don't have to believe in it at all :).


2010/12/9 Gunnar Peterson <gunnar at arctecgroup.net>

> I wrote a Enterprise Security To Do list for 2009, the first and second
> recommendations relate directly to this
> 1. Educate yourself on state of the practice in software development
> Spend as much time (or more) reading about software and data as reading
> Bruce Schneier and security. Specifically, security people should pick some
> good topics in software and data and follow up on them - some good places to
> start Martin Fowler, Pat Helland, and Kent Beck. if you want to be taken
> seriously by developers, you need to master this stuff before lecturing
> developers on how you think the so-called SDLC should work. Plus
> understanding the software development rabbit holes in your organization
> will help you craft more successful implementations.
> Or as Steve Ballmer says,"Developers.Developers.Developers."
> 2. Eat lunch with developers
> Take some of your security budget and eat lunch or drinks or coffee with
> some folks in development. People are the keys to solutions. Security people
> need to build good relationships with the software developers that need to
> carry the mail.
> http://1raindrop.typepad.com/1_raindrop/2009/01/enterprise-security-2009-to-do-list.html
> -gunnar
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

John Wilander, https://twitter.com/johnwilander
Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
<http://owaspsweden.blogspot.com>Co-organizer Global Summit,
<http://www.owasp.org/index.php/Summit_2011>Conf Comm,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101209/3d57bd8d/attachment.html 

More information about the OWASP-Leaders mailing list