[Owasp-leaders] developers, Developers, DEVELOPERS!

Alexander Jason (NHS Connecting for Health) jason.alexander at nhs.net
Fri Dec 10 06:30:09 EST 2010

After Simon started the conversation at our last chapter meeting we have had a few responses from people who are either developers or have connections to developers. What we are now doing is offering to go talk at these Dev meetings about either OWASP projects or OWASP as a whole. So in essence this is us going to them which hopefully will bring them to us..... Developer out reach... just remember, a developer is not just for Christmas ;)

Jason Alexander
OWASP Leeds/Northern UK chapter leader

From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Martin Knobloch
Sent: 10 December 2010 10:01
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] developers, Developers, DEVELOPERS!

That's my point! I don't think that security is not sexy enough for developers. They just don't know.
Therefore, I think (and that is what I put quite some time in) we  should put some more effort in spreading the OWASP word in developer communities!
On Fri, Dec 10, 2010 at 10:38 AM, psiinon <psiinon at gmail.com<mailto:psiinon at gmail.com>> wrote:
I'm a bit surprised by the perceived lack of 'sexiness' in security -
my experiences differ from this.
My background is in software development - I've been developing java
webapps for 14 years now.
I talk to a lot of developers and functional testers, and they care
about the products they develop and they know security is important.
They just havnt had any training. And most security websites not
surprisingly deal with hacking or pen testing - these are somehow seen
as 'dangerous' and are often blocked by corporate firewalls.
So pen testing is 'forbidden knowledge', which _is_ sexy ;)
I argue that you cant develop secure apps without knowing how to attack them.
You dont have to be a qualified pen tester, but you need to know
something of what the bad guys will do.
To that end I teach basic pen testing techniques to developers and
functional testers - and that seems to go down very well!
This isnt an alternative to other training, static source code
analysis, professional pen testing etc etc
But I think it makes developers think about their apps in a different way.
Its why I released the Zed Attack Proxy - I wanted a pen test tool
that was simple enough for developers with little security experience
to use.
If they use it when coding then basic vulnerabilities might be picked
up much earlier then they would be otherwise.


OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>


This message may contain confidential information. If you are not the intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take any action in reliance on its contents:
to do so is strictly prohibited and may be unlawful.

Thank you for your co-operation.

NHSmail is the secure email and directory service available for all NHS staff in England and Scotland
NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and GSi recipients
NHSmail provides an email address for your career in the NHS and can be accessed anywhere
For more information and to find out how you can switch, visit www.connectingforhealth.nhs.uk/nhsmail

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101210/152f1a9e/attachment.html 

More information about the OWASP-Leaders mailing list