[Owasp-leaders] developers, Developers, DEVELOPERS!

Chris Schmidt chris.schmidt at owasp.org
Thu Dec 9 17:09:45 EST 2010


On the contrary - and having been primarily a software developer for the
last 5 years (and unprofessionally prior to that XD) I contest that the
challenge is getting the problem in front of developers to allow them to
*make it sexy* as you accurately put it.

The reason I got involved with ESAPI is because I was using portions of it
and thought to myself - there is a much better way to solve this exact
problem and it is, in fact, a great deal sexier.

You are absolutely correct when you say that developers want to be able to
show off the things they do - and I personally think that they/we are in the
best position to take security and turn it into sexy frameworks or integrate
it with existing frameworks. And as most of us know - from the software
development side of the fence, application security is still a virtual
oil-field just waiting for people to tap in and take their share of the
glory. 

Thus I still contend that by "cross-pollenating" as I put it in my blog
post, this holds the best chance for both communities to come together and
make strives towards the ultimate end-game - being 2 steps ahead of the bad
guys.

This is of course my $0.02 - but it is indeed something I feel strongly
about and feel I am in a good position to evaluate as a software developer
that does security (as are a lot of other people on this list for the exact
same reason)


On 12/9/10 2:23 PM, "Andrea Cogliati" <andrea.cogliati at owasp.org> wrote:

> While these are all good points, I'd like to offer a different perspective. As
> I mainly work (or used to work) with developers, to me the biggest challenge
> is that security lacks sexiness. Let's be honest, security is not cool! And
> why is that? Because you can't show off security, you can't measure it and
> prove it.
> 
> Developers are turned on by solving a problem in 3 lines of code instead of
> 20; they love to reduce the memory footprint or the complexity of an
> algorithm, because they can boast about it to their colleagues or bosses.
> Bruce Schneier said that between security and flying pigs, users will always
> prefer the latter. And for a developer is exactly the same. There a sense of
> accomplishment in doing that: you can see it, you can touch it, you can
> measure it. On the other side, you prevented SQL injections and XSS in your
> webapp? Meh... boring...
> 
> To reach out to developers the first step is to make security visible, the
> second step is to make security measurable. How? That's the challenge!
> 
> Andrea
> 
> On Dec 9, 2010, at 3:31 PM, Jason Li wrote:
> 
>> Agreed.
>> 
>> We can yell until we're blue in the face about how developers should do this
>> or that.
>> 
>> While in principle, we might be right, in order to promote fundamental change
>> in developers at large, I think we need to engage them on their terms.
>> 
>> If that means letting developers continue using the same "insecure" patterns
>> they're using now and injecting some intermediary control to make it secure;
>> or emulating a more formal SDLC process so businesses are more comfortable
>> using our projects; or working going to developer conferences and presenting
>> approachable talks about security awareness; then that's what we need to do
>> to improve the state of application security. We need to play the game on
>> developer's turf where they feel comfortable and have home-field advantage.
>> 
>> If I recall correctly, the Global Conferences Committee draft agenda for 2011
>> includes developer outreach.
>> 
>> We're working on the Global Projects Committee draft agenda with the goal of
>> making projects more developer friendly in mind as well.
>> 
>> -Jason
>> 
>> On Thu, Dec 9, 2010 at 2:56 PM, Jim Manico <jim.manico at owasp.org> wrote:
>> I think the answer is, *we* go-to *them*, not the other way around. WE change
>> our methods so we develop with more formal SDLC process in our projects. WE
>> apply for and give talks at developer-centric conferences like Java-One and
>> so on.  Etc.
>> 
>>  
>> The secret is to infiltrate the developer world with our WebAppSec majesty. J
>> 
>>  
>> - Jim
>> 
>>  
>> PS: Infiltrate!
>> 
>>  
>> From: owasp-leaders-bounces at lists.owasp.org
>> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Michael Coates
>> Sent: Thursday, December 09, 2010 9:51 AM
>> 
>> 
>> To: owasp-leaders at lists.owasp.org
>> Subject: Re: [Owasp-leaders] developers, Developers, DEVELOPERS!
>> 
>>  
>> Definitely and the hard work is very appreciated by all in OWASP and the many
>> users of the tools.  But how do we get more developers at the chapter
>> meetings and the conferences.  Its one thing to talk about security with
>> security professionals, but another to be able to work directly with the
>> developers.
>> 
>>  
>>  
>> 
>> Michael Coates
>> 
>> OWASP
>> 
>>  
>>  
>>  
>> On Dec 9, 2010, at 10:23 AM, Jim Manico wrote:
>> 
>> 
>> 
>> 
>> There are plenty of active developers (primarily Java dev's) who volunteer
>> for OWASP building secure coding libraries!
>> 
>>  
>> AntiSamy was authored by Jason Li and Arshan D. This is a fairly complex
>> piece of code for HTML policy validation.
>> 
>>  
>> CSRFGuard was written by Eric Sheridan, its a JavaScript tool, primarily for
>> injecting security tokens into HTML pages for CSRF defense.
>> 
>>  
>> ESAPI was started by Jeff Williams and is managed by myself, Chris Beef and
>> Kevin Wall. Its an epic secure coding library that covers a wide range of
>> secure coding needs. There are about a dozen active dev's in the Java project
>> alone.
>> 
>>  
>> And there are more.
>> 
>>  
>> The dev's at OWASP tend to be more on the introverted side, but they are here
>> and participate by €doing€.
>> 
>>  
>> Do you how crazy tough it is to get smart dev's to participate in open source
>> projects? We are lucky that OWASP has so many under the hood donating time
>> for us...
>> 
>> 
>> -Jim Manico
>> 
>> http://manico.net
>> 
>> 
>> On Dec 9, 2010, at 4:44 AM, Grzegorz Bugaj <gregbugaj at yahoo.com> wrote:
>> 
>> Hello
>> 
>> I think this is very common trend that I see here In Oklahoma US, as a
>> developer I am trying to cater more towards developers instead security
>> professionals to get them involved. I think the problem here is that most
>> developers are not very security conscious people, also many of them is not
>> aware of the fact that there are organizations like OWASP that could help
>> them.
>> 
>>  
>>  
>> Regards
>> Greg Bugaj, SCJP
>> 
>>  
>>  
>> From: psiinon <psiinon at gmail.com>
>> To: owasp-leaders at lists.owasp.org
>> Sent: Thu, December 9, 2010 4:06:33 AM
>> Subject: [Owasp-leaders] Developers Vs Security professionals
>> 
>> Hi folks,
>> 
>> I'll freely admit that I'm relatively new to the world of OWASP, but I
>> get the distinct impression that theres a significant involvement from
>> security professions and much less involvement from people from the
>> software development side.
>> I gave a talk last night at the OWASP Leeds / Northern UK meeting last
>> night in Manchester, and to test this theory I asked which of these 2
>> areas people worked in.
>> Only one person (out of ~25) worked in software development, and they
>> were an ex colleague of mine who came to see what I was up to!
>> Do you think this is common?
>> And if it is, should we be worried about it?
>> I'm sure we will all agree that if we cant get developers interested
>> in security then we'll just be firefighting all of the time.
>> 
>> Cheers,
>> 
>> Simon
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
>>  
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
>>  
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

Chris Schmidt
ESAPI Project Manager (http://www.esapi.org)
ESAPI4JS Project Owner (http://bit.ly/9hRTLH)
Blog: http://yet-another-dev.blogspot.com





More information about the OWASP-Leaders mailing list