[Owasp-leaders] developers, Developers, DEVELOPERS!

Andrea Cogliati andrea.cogliati at owasp.org
Thu Dec 9 16:23:08 EST 2010


While these are all good points, I'd like to offer a different perspective. As I mainly work (or used to work) with developers, to me the biggest challenge is that security lacks sexiness. Let's be honest, security is not cool! And why is that? Because you can't show off security, you can't measure it and prove it.

Developers are turned on by solving a problem in 3 lines of code instead of 20; they love to reduce the memory footprint or the complexity of an algorithm, because they can boast about it to their colleagues or bosses. Bruce Schneier said that between security and flying pigs, users will always prefer the latter. And for a developer is exactly the same. There a sense of accomplishment in doing that: you can see it, you can touch it, you can measure it. On the other side, you prevented SQL injections and XSS in your webapp? Meh... boring...

To reach out to developers the first step is to make security visible, the second step is to make security measurable. How? That's the challenge!

Andrea

On Dec 9, 2010, at 3:31 PM, Jason Li wrote:

> Agreed.
> 
> We can yell until we're blue in the face about how developers should do this or that.
> 
> While in principle, we might be right, in order to promote fundamental change in developers at large, I think we need to engage them on their terms.
> 
> If that means letting developers continue using the same "insecure" patterns they're using now and injecting some intermediary control to make it secure; or emulating a more formal SDLC process so businesses are more comfortable using our projects; or working going to developer conferences and presenting approachable talks about security awareness; then that's what we need to do to improve the state of application security. We need to play the game on developer's turf where they feel comfortable and have home-field advantage.
> 
> If I recall correctly, the Global Conferences Committee draft agenda for 2011 includes developer outreach.
> 
> We're working on the Global Projects Committee draft agenda with the goal of making projects more developer friendly in mind as well.
> 
> -Jason
> 
> On Thu, Dec 9, 2010 at 2:56 PM, Jim Manico <jim.manico at owasp.org> wrote:
> I think the answer is, *we* go-to *them*, not the other way around. WE change our methods so we develop with more formal SDLC process in our projects. WE apply for and give talks at developer-centric conferences like Java-One and so on.  Etc.
> 
>  
> The secret is to infiltrate the developer world with our WebAppSec majesty. J
> 
>  
> - Jim
> 
>  
> PS: Infiltrate!
> 
>  
> From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Michael Coates
> Sent: Thursday, December 09, 2010 9:51 AM
> 
> 
> To: owasp-leaders at lists.owasp.org
> Subject: Re: [Owasp-leaders] developers, Developers, DEVELOPERS!
> 
>  
> Definitely and the hard work is very appreciated by all in OWASP and the many users of the tools.  But how do we get more developers at the chapter meetings and the conferences.  Its one thing to talk about security with security professionals, but another to be able to work directly with the developers.
> 
>  
>  
> 
> Michael Coates
> 
> OWASP
> 
>  
>  
>  
> On Dec 9, 2010, at 10:23 AM, Jim Manico wrote:
> 
> 
> 
> 
> There are plenty of active developers (primarily Java dev's) who volunteer for OWASP building secure coding libraries! 
> 
>  
> AntiSamy was authored by Jason Li and Arshan D. This is a fairly complex piece of code for HTML policy validation.
> 
>  
> CSRFGuard was written by Eric Sheridan, its a JavaScript tool, primarily for injecting security tokens into HTML pages for CSRF defense.
> 
>  
> ESAPI was started by Jeff Williams and is managed by myself, Chris Beef and Kevin Wall. Its an epic secure coding library that covers a wide range of secure coding needs. There are about a dozen active dev's in the Java project alone.
> 
>  
> And there are more.
> 
>  
> The dev's at OWASP tend to be more on the introverted side, but they are here and participate by •doing•.
> 
>  
> Do you how crazy tough it is to get smart dev's to participate in open source projects? We are lucky that OWASP has so many under the hood donating time for us...
> 
> 
> -Jim Manico
> 
> http://manico.net
> 
> 
> On Dec 9, 2010, at 4:44 AM, Grzegorz Bugaj <gregbugaj at yahoo.com> wrote:
> 
> Hello
> 
> I think this is very common trend that I see here In Oklahoma US, as a developer I am trying to cater more towards developers instead security professionals to get them involved. I think the problem here is that most developers are not very security conscious people, also many of them is not aware of the fact that there are organizations like OWASP that could help them.
> 
>  
>  
> Regards
> Greg Bugaj, SCJP
> 
>  
>  
> From: psiinon <psiinon at gmail.com>
> To: owasp-leaders at lists.owasp.org
> Sent: Thu, December 9, 2010 4:06:33 AM
> Subject: [Owasp-leaders] Developers Vs Security professionals
> 
> Hi folks,
> 
> I'll freely admit that I'm relatively new to the world of OWASP, but I
> get the distinct impression that theres a significant involvement from
> security professions and much less involvement from people from the
> software development side.
> I gave a talk last night at the OWASP Leeds / Northern UK meeting last
> night in Manchester, and to test this theory I asked which of these 2
> areas people worked in.
> Only one person (out of ~25) worked in software development, and they
> were an ex colleague of mine who came to see what I was up to!
> Do you think this is common?
> And if it is, should we be worried about it?
> I'm sure we will all agree that if we cant get developers interested
> in security then we'll just be firefighting all of the time.
> 
> Cheers,
> 
> Simon
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
>  
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
>  
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders



More information about the OWASP-Leaders mailing list