[Owasp-leaders] developers, Developers, DEVELOPERS!

Martin Knobloch martin.knobloch at owasp.org
Fri Dec 10 04:22:20 EST 2010


All,

The problem is not the developers do not want to code secure applications!
The problem is simple as they don't know! We, and that is for all security
guys, do organize and visit the security conferences. Developers do organize
and visit developer conferences!
We do have a lot of material to build secure applications, tools and
documentation, but we have failed to spread the word to developers. As
previously stated, developers are trained and  paid to implement
functionality, security... that is what security guys do.

To get this out misunderstanding out the world, we need to reach out to the
developers! We have to be at the developer conferences, make OWASP known
there!
That is the reason I got involved with the Education Project and
Committee.We have to make the OWASP material accessible, in small
understandable pieces, for those who do development. Not only the developer,
but also for the testers, project managers... all involved in software
development!
Is security sexy? We ourself make the same mistakes. See the OWASP AppSec
conferences, where it is still more sexy to speak about how to break stuff
then how to build is secure. We are listening to people on how
to exploit new threats, but not telling how to solve them!

I speak frequently at developer conferences in the Europe and at
Universities to spread the OWASP word. One of the opportunities as result of
this is a thing we will do together with JavaRanch.com.
We still have to figure out the details, but for now I can share, during the
summit JavaRanch.com will have a online event where Java developers can ask
security related questions to be answered by OWASP Java specialists! This
will be promoted highly by JavaRanch and we will have to do our share! I am
counting on your support when this is happening with answering those
questions!

So, developers want to build secure code, they (at least the most of them)
just don't know what that is!

Cheers,
~Martin

On Thu, Dec 9, 2010 at 11:09 PM, Chris Schmidt <chris.schmidt at owasp.org>wrote:

> On the contrary - and having been primarily a software developer for the
> last 5 years (and unprofessionally prior to that XD) I contest that the
> challenge is getting the problem in front of developers to allow them to
> *make it sexy* as you accurately put it.
>
> The reason I got involved with ESAPI is because I was using portions of it
> and thought to myself - there is a much better way to solve this exact
> problem and it is, in fact, a great deal sexier.
>
> You are absolutely correct when you say that developers want to be able to
> show off the things they do - and I personally think that they/we are in
> the
> best position to take security and turn it into sexy frameworks or
> integrate
> it with existing frameworks. And as most of us know - from the software
> development side of the fence, application security is still a virtual
> oil-field just waiting for people to tap in and take their share of the
> glory.
>
> Thus I still contend that by "cross-pollenating" as I put it in my blog
> post, this holds the best chance for both communities to come together and
> make strives towards the ultimate end-game - being 2 steps ahead of the bad
> guys.
>
> This is of course my $0.02 - but it is indeed something I feel strongly
> about and feel I am in a good position to evaluate as a software developer
> that does security (as are a lot of other people on this list for the exact
> same reason)
>
>
> On 12/9/10 2:23 PM, "Andrea Cogliati" <andrea.cogliati at owasp.org> wrote:
>
> > While these are all good points, I'd like to offer a different
> perspective. As
> > I mainly work (or used to work) with developers, to me the biggest
> challenge
> > is that security lacks sexiness. Let's be honest, security is not cool!
> And
> > why is that? Because you can't show off security, you can't measure it
> and
> > prove it.
> >
> > Developers are turned on by solving a problem in 3 lines of code instead
> of
> > 20; they love to reduce the memory footprint or the complexity of an
> > algorithm, because they can boast about it to their colleagues or bosses.
> > Bruce Schneier said that between security and flying pigs, users will
> always
> > prefer the latter. And for a developer is exactly the same. There a sense
> of
> > accomplishment in doing that: you can see it, you can touch it, you can
> > measure it. On the other side, you prevented SQL injections and XSS in
> your
> > webapp? Meh... boring...
> >
> > To reach out to developers the first step is to make security visible,
> the
> > second step is to make security measurable. How? That's the challenge!
> >
> > Andrea
> >
> > On Dec 9, 2010, at 3:31 PM, Jason Li wrote:
> >
> >> Agreed.
> >>
> >> We can yell until we're blue in the face about how developers should do
> this
> >> or that.
> >>
> >> While in principle, we might be right, in order to promote fundamental
> change
> >> in developers at large, I think we need to engage them on their terms.
> >>
> >> If that means letting developers continue using the same "insecure"
> patterns
> >> they're using now and injecting some intermediary control to make it
> secure;
> >> or emulating a more formal SDLC process so businesses are more
> comfortable
> >> using our projects; or working going to developer conferences and
> presenting
> >> approachable talks about security awareness; then that's what we need to
> do
> >> to improve the state of application security. We need to play the game
> on
> >> developer's turf where they feel comfortable and have home-field
> advantage.
> >>
> >> If I recall correctly, the Global Conferences Committee draft agenda for
> 2011
> >> includes developer outreach.
> >>
> >> We're working on the Global Projects Committee draft agenda with the
> goal of
> >> making projects more developer friendly in mind as well.
> >>
> >> -Jason
> >>
> >> On Thu, Dec 9, 2010 at 2:56 PM, Jim Manico <jim.manico at owasp.org>
> wrote:
> >> I think the answer is, *we* go-to *them*, not the other way around. WE
> change
> >> our methods so we develop with more formal SDLC process in our projects.
> WE
> >> apply for and give talks at developer-centric conferences like Java-One
> and
> >> so on.  Etc.
> >>
> >>
> >> The secret is to infiltrate the developer world with our WebAppSec
> majesty. J
> >>
> >>
> >> - Jim
> >>
> >>
> >> PS: Infiltrate!
> >>
> >>
> >> From: owasp-leaders-bounces at lists.owasp.org
> >> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Michael
> Coates
> >> Sent: Thursday, December 09, 2010 9:51 AM
> >>
> >>
> >> To: owasp-leaders at lists.owasp.org
> >> Subject: Re: [Owasp-leaders] developers, Developers, DEVELOPERS!
> >>
> >>
> >> Definitely and the hard work is very appreciated by all in OWASP and the
> many
> >> users of the tools.  But how do we get more developers at the chapter
> >> meetings and the conferences.  Its one thing to talk about security with
> >> security professionals, but another to be able to work directly with the
> >> developers.
> >>
> >>
> >>
> >>
> >> Michael Coates
> >>
> >> OWASP
> >>
> >>
> >>
> >>
> >> On Dec 9, 2010, at 10:23 AM, Jim Manico wrote:
> >>
> >>
> >>
> >>
> >> There are plenty of active developers (primarily Java dev's) who
> volunteer
> >> for OWASP building secure coding libraries!
> >>
> >>
> >> AntiSamy was authored by Jason Li and Arshan D. This is a fairly complex
> >> piece of code for HTML policy validation.
> >>
> >>
> >> CSRFGuard was written by Eric Sheridan, its a JavaScript tool, primarily
> for
> >> injecting security tokens into HTML pages for CSRF defense.
> >>
> >>
> >> ESAPI was started by Jeff Williams and is managed by myself, Chris Beef
> and
> >> Kevin Wall. Its an epic secure coding library that covers a wide range
> of
> >> secure coding needs. There are about a dozen active dev's in the Java
> project
> >> alone.
> >>
> >>
> >> And there are more.
> >>
> >>
> >> The dev's at OWASP tend to be more on the introverted side, but they are
> here
> >> and participate by €doing€.
> >>
> >>
> >> Do you how crazy tough it is to get smart dev's to participate in open
> source
> >> projects? We are lucky that OWASP has so many under the hood donating
> time
> >> for us...
> >>
> >>
> >> -Jim Manico
> >>
> >> http://manico.net
> >>
> >>
> >> On Dec 9, 2010, at 4:44 AM, Grzegorz Bugaj <gregbugaj at yahoo.com> wrote:
> >>
> >> Hello
> >>
> >> I think this is very common trend that I see here In Oklahoma US, as a
> >> developer I am trying to cater more towards developers instead security
> >> professionals to get them involved. I think the problem here is that
> most
> >> developers are not very security conscious people, also many of them is
> not
> >> aware of the fact that there are organizations like OWASP that could
> help
> >> them.
> >>
> >>
> >>
> >> Regards
> >> Greg Bugaj, SCJP
> >>
> >>
> >>
> >> From: psiinon <psiinon at gmail.com>
> >> To: owasp-leaders at lists.owasp.org
> >> Sent: Thu, December 9, 2010 4:06:33 AM
> >> Subject: [Owasp-leaders] Developers Vs Security professionals
> >>
> >> Hi folks,
> >>
> >> I'll freely admit that I'm relatively new to the world of OWASP, but I
> >> get the distinct impression that theres a significant involvement from
> >> security professions and much less involvement from people from the
> >> software development side.
> >> I gave a talk last night at the OWASP Leeds / Northern UK meeting last
> >> night in Manchester, and to test this theory I asked which of these 2
> >> areas people worked in.
> >> Only one person (out of ~25) worked in software development, and they
> >> were an ex colleague of mine who came to see what I was up to!
> >> Do you think this is common?
> >> And if it is, should we be worried about it?
> >> I'm sure we will all agree that if we cant get developers interested
> >> in security then we'll just be firefighting all of the time.
> >>
> >> Cheers,
> >>
> >> Simon
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >>
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >>
> >>
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >>
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> Chris Schmidt
> ESAPI Project Manager (http://www.esapi.org)
> ESAPI4JS Project Owner (http://bit.ly/9hRTLH)
> Blog: http://yet-another-dev.blogspot.com
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101210/121c5d3e/attachment.html 


More information about the OWASP-Leaders mailing list