[Owasp-leaders] developers, Developers, DEVELOPERS!

Tony UV tonyuv at owasp.org
Fri Dec 10 10:24:23 EST 2010


Although what you said is true, one message that I use, having lived it
myself, is to encourage developers to embrace security, not as a form of
drudgery, but at the very least as a form of not having to enter remediation
hell with compliance, audit, risk people at your door on code that they
originated in a DEV environment 6 months ago and is now in PROD and they are
working on version n+1 or 2 and really would like to continue on their
current development efforts.  Developers like NEW things, not having to fix
OLD things.  Maintenance on OLD code is not sexy (it's not even slutty to be
honest)

Also, if you explain to developers step by step on how an exploit works,
they will appreciate the 'sexiness' of it b/c its reshaping their
constructive mindset to one of being destructive for the sake of seeing how
their code can become mangled in the hands of mal-intentioned users.  

Tony UcedaVelez, CISM, CISA, GSEC
Chapter Lead
OWASP Atlanta
http://www.owasp.org/index.php/Atlanta_Georgia
Twitter: @versprite

-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of James McGovern
Sent: Friday, December 10, 2010 9:01 AM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] developers, Developers, DEVELOPERS!

Figured I would provide a different perspective on why security isn't sexy.

If you have had the privilege of being an employee of a large Fortune
enterprise, you would come to understand that AT BEST a developer spends 25%
of their time actually writing code. Anything additional just feels like
just another opportunity (sarcastic) to explain a technical concept to a
non-technical IT executive. Developers would take more interest in security
if we could help them be more agile. Right now Infosec professionals are
making the process worse and the auditors most certainly aren't agile.

James McGovern
http://twitter.com/mcgoverntheory
    

-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of psiinon
Sent: Friday, December 10, 2010 4:38 AM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] developers, Developers, DEVELOPERS!

I'm a bit surprised by the perceived lack of 'sexiness' in security -
my experiences differ from this.
My background is in software development - I've been developing java
webapps for 14 years now.
I talk to a lot of developers and functional testers, and they care
about the products they develop and they know security is important.
They just havnt had any training. And most security websites not
surprisingly deal with hacking or pen testing - these are somehow seen
as 'dangerous' and are often blocked by corporate firewalls.
So pen testing is 'forbidden knowledge', which _is_ sexy ;)
I argue that you cant develop secure apps without knowing how to attack
them.
You dont have to be a qualified pen tester, but you need to know
something of what the bad guys will do.
To that end I teach basic pen testing techniques to developers and
functional testers - and that seems to go down very well!
This isnt an alternative to other training, static source code
analysis, professional pen testing etc etc
But I think it makes developers think about their apps in a different way.
Its why I released the Zed Attack Proxy - I wanted a pen test tool
that was simple enough for developers with little security experience
to use.
If they use it when coding then basic vulnerabilities might be picked
up much earlier then they would be otherwise.

Cheers,

Simon
_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders

Virtusa was recently ranked and featured in 2010 Deloitte Technology Fast
500, 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100 sub-list
and 2010 FinTech 100 among others.

----------------------------------------------------------------------------
-----------------

This message, including any attachments, contains confidential information
intended for a specific individual and purpose, and is intended for the
addressee only. Any unauthorized disclosure, use, dissemination, copying, or
distribution of this message or any of its attachments or the information
contained in this e-mail, or the taking of any action based on it, is
strictly prohibited. If you are not the intended recipient, please notify
the sender immediately by return e-mail and delete this message.

----------------------------------------------------------------------------
-----------------
_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders



More information about the OWASP-Leaders mailing list