[Owasp-leaders] developers, Developers, DEVELOPERS!

Chris Schmidt chris.schmidt at owasp.org
Thu Dec 9 16:16:08 EST 2010


This is something I talked with a lot of people about this year at FROC,
AppSecUSA, and AppSecDC ­ I have been talking with Jay (the organizer for
the No Fluff Just Stuff series of development conferences) and am hoping to
have a track put together for UberConf 2011 ­ which is a huge 4 day extreme
development conference with an emphasis on Java. I ended up kind of sitting
in and helping with a security track with Ken Sipe at UberConf this year and
it went over very well. I think there is a very good chance of getting a
more in depth appsec track at UberConf (and possibly on the NFJS tour as
well if someone can dedicate the time to it) which would go a long way
towards accomplishing this goal.

For some more insight into this ­ I wrote a blog up last month that you can
read here:
http://yet-another-dev.blogspot.com/2010/11/cross-pollination-its-not-just-f
or-bees.html



On 12/9/10 1:31 PM, "Jason Li" <jason.li at owasp.org> wrote:

> Agreed.
> 
> We can yell until we're blue in the face about how developers should do this
> or that.
> 
> While in principle, we might be right, in order to promote fundamental change
> in developers at large, I think we need to engage them on their terms.
> 
> If that means letting developers continue using the same "insecure" patterns
> they're using now and injecting some intermediary control to make it secure;
> or emulating a more formal SDLC process so businesses are more comfortable
> using our projects; or working going to developer conferences and presenting
> approachable talks about security awareness; then that's what we need to do to
> improve the state of application security. We need to play the game on
> developer's turf where they feel comfortable and have home-field advantage.
> 
> If I recall correctly, the Global Conferences Committee draft agenda for 2011
> includes developer outreach.
> 
> We're working on the Global Projects Committee draft agenda with the goal of
> making projects more developer friendly in mind as well.
> 
> -Jason
> 
> On Thu, Dec 9, 2010 at 2:56 PM, Jim Manico <jim.manico at owasp.org> wrote:
>> I think the answer is, *we* go-to *them*, not the other way around. WE change
>> our methods so we develop with more formal SDLC process in our projects. WE
>> apply for and give talks at developer-centric conferences like Java-One and
>> so on.  Etc.
>>  
>> The secret is to infiltrate the developer world with our WebAppSec majesty. J
>>  
>> - Jim
>>  
>> PS: Infiltrate!
>>  
>> 
>> From: owasp-leaders-bounces at lists.owasp.org
>> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Michael Coates
>> Sent: Thursday, December 09, 2010 9:51 AM
>> 
>> To: owasp-leaders at lists.owasp.org
>> Subject: Re: [Owasp-leaders] developers, Developers, DEVELOPERS!
>> 
>>  
>> Definitely and the hard work is very appreciated by all in OWASP and the many
>> users of the tools.  But how do we get more developers at the chapter
>> meetings and the conferences.  Its one thing to talk about security with
>> security professionals, but another to be able to work directly with the
>> developers.
>> 
>>  
>> 
>>  
>> 
>> 
>> Michael Coates
>> 
>> OWASP
>> 
>>  
>>  
>>  
>> 
>> On Dec 9, 2010, at 10:23 AM, Jim Manico wrote:
>> 
>> 
>> There are plenty of active developers (primarily Java dev's) who volunteer
>> for OWASP building secure coding libraries! 
>> 
>>  
>> 
>> AntiSamy was authored by Jason Li and Arshan D. This is a fairly complex
>> piece of code for HTML policy validation.
>> 
>>  
>> 
>> CSRFGuard was written by Eric Sheridan, its a JavaScript tool, primarily for
>> injecting security tokens into HTML pages for CSRF defense.
>> 
>>  
>> 
>> ESAPI was started by Jeff Williams and is managed by myself, Chris Beef and
>> Kevin Wall. Its an epic secure coding library that covers a wide range of
>> secure coding needs. There are about a dozen active dev's in the Java project
>> alone.
>> 
>>  
>> 
>> And there are more.
>> 
>>  
>> 
>> The dev's at OWASP tend to be more on the introverted side, but they are here
>> and participate by €doing€.
>> 
>>  
>> 
>> Do you how crazy tough it is to get smart dev's to participate in open source
>> projects? We are lucky that OWASP has so many under the hood donating time
>> for us...
>> 
>> 
>> -Jim Manico
>> 
>> http://manico.net <http://manico.net/>
>> 
>> 
>> On Dec 9, 2010, at 4:44 AM, Grzegorz Bugaj <gregbugaj at yahoo.com> wrote:
>>> 
>>> Hello
>>> 
>>> I think this is very common trend that I see here In Oklahoma US, as a
>>> developer I am trying to cater more towards developers instead
>>> security professionals to get them involved. I think the problem here is
>>> that most developers are not very security conscious people, also many of
>>> them is not aware of the fact that there are organizations like OWASP that
>>> could help them.
>>> 
>>>  
>>> 
>>>  
>>> Regards
>>> Greg Bugaj, SCJP
>>> 
>>>  
>>> 
>>>  
>>> 
>>> 
>>> From: psiinon <psiinon at gmail.com>
>>> To: owasp-leaders at lists.owasp.org
>>> Sent: Thu, December 9, 2010 4:06:33 AM
>>> Subject: [Owasp-leaders] Developers Vs Security professionals
>>> 
>>> Hi folks,
>>> 
>>> I'll freely admit that I'm relatively new to the world of OWASP, but I
>>> get the distinct impression that theres a significant involvement from
>>> security professions and much less involvement from people from the
>>> software development side.
>>> I gave a talk last night at the OWASP Leeds / Northern UK meeting last
>>> night in Manchester, and to test this theory I asked which of these 2
>>> areas people worked in.
>>> Only one person (out of ~25) worked in software development, and they
>>> were an ex colleague of mine who came to see what I was up to!
>>> Do you think this is common?
>>> And if it is, should we be worried about it?
>>> I'm sure we will all agree that if we cant get developers interested
>>> in security then we'll just be firefighting all of the time.
>>> 
>>> Cheers,
>>> 
>>> Simon
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>  
>>> 
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>  
>>> 
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
>> Chris Schmidt
>> ESAPI Project Manager (http://www.esapi.org)
>> ESAPI4JS Project Owner (http://bit.ly/9hRTLH)
>> Blog: http://yet-another-dev.blogspot.com
>> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101209/59b7b7df/attachment.html 


More information about the OWASP-Leaders mailing list