[Owasp-leaders] developers, Developers, DEVELOPERS!

psiinon psiinon at gmail.com
Fri Dec 10 04:38:09 EST 2010

I'm a bit surprised by the perceived lack of 'sexiness' in security -
my experiences differ from this.
My background is in software development - I've been developing java
webapps for 14 years now.
I talk to a lot of developers and functional testers, and they care
about the products they develop and they know security is important.
They just havnt had any training. And most security websites not
surprisingly deal with hacking or pen testing - these are somehow seen
as 'dangerous' and are often blocked by corporate firewalls.
So pen testing is 'forbidden knowledge', which _is_ sexy ;)
I argue that you cant develop secure apps without knowing how to attack them.
You dont have to be a qualified pen tester, but you need to know
something of what the bad guys will do.
To that end I teach basic pen testing techniques to developers and
functional testers - and that seems to go down very well!
This isnt an alternative to other training, static source code
analysis, professional pen testing etc etc
But I think it makes developers think about their apps in a different way.
Its why I released the Zed Attack Proxy - I wanted a pen test tool
that was simple enough for developers with little security experience
to use.
If they use it when coding then basic vulnerabilities might be picked
up much earlier then they would be otherwise.



More information about the OWASP-Leaders mailing list