[Owasp-leaders] Reaching developers = cooperative hackathons

James McGovern JMcGovern at virtusa.com
Tue Sep 7 09:48:50 EDT 2010

Increasingly, software development is going offshore (at least in the
United States) and therefore it is incumbent upon OWASP to not just
target developers, but to reach other demographics of IT professionals
in terms of outreach.  The Hartford chapter has had success in reaching
out to ISACA and doing a joint meeting.  As a profession, auditors also
want to mature their discipline and at some level have been struggling
to understand why their audit criteria isn't preventing modern-day
attacks. OWASP is best positioned to help them think about better audit
policies and to move beyond silliness of auditing for clean-desk
policies, whether a developer has all of their number two pencils
sharpened or other meaningless constructs. If you can show an auditor
that there are simple things they can do to measure security such as
making sure every project adheres to the OWASP Top Ten and
organizational maturity around SAMM, then we can move the needle in an
even bigger way.


We can also agree that many of the successful attacks aren't really
caused by coding mistakes of developers, but really can be attributed to
suboptimal architecture decisions made by some architect who threw a
design over the wall without understanding the ramifications of their
choices. What if we collectively thought of a Top Ten list for
Architects to consider when designing software...


James McGovern
Insurance SBU 

Virtusa Corporation

100 Northfield Drive, Suite 305 | Windsor, CT | 06095

Phone:  860 688 9900 Ext:  1037 | Facsimile:  860 688 2890  

  <http://www.virtusa.com/>    <http://www.virtusa.com/blog/>   


From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of John
Sent: Sunday, September 05, 2010 4:01 PM
To: owasp-leaders at lists.owasp.org
Subject: [Owasp-leaders] Reaching developers = cooperative hackathons


Dear OWASP leaders,


At last year's AppSec USA I had several interesting discussions with you
on OWASP's inability to reach developers. We've been stuck in "Preaching
for the choir" far too long. The "Bring a developer" at this year's
conference will hopefully make a difference.


But we can make a difference on a regional level too, especially all of
us who are chapter leaders! I have really been thinking "What can my
chapter do to reach out to more developers?"


The solution was cooperation.


This weekend OWASP Sweden successfully held "Community Hack" - a two-day
hackathon - together with the regional FOSS community (FOSS = Free Open
Source Software). A majority of the attendees were developers.
Developers who now know about OWASP. Many of them also joined our


So what's the trick? Well, developers like to do things, such as develop
software. During hackathons you bring your computer and you do things.
You learn new tools, try out new languges and frameworks, develop new
applications, and investigate the unknown. In other words appsec and
foss communities have much in common! During a hackathon you can always
mix in technical talks, demos and discussions. It's the perfect way of
reaching developers. We did it and it was a blast.


If you'd like to have a Community Hack in your region or country, this
is what we did:

1.	Make contact with the regional or national open source movement.
They're good guys. Try to set up a cooperation for hack.
2.	Set up a wiki page where attendees can post which projects
they're going to work on. This helps to inspire others who want to come
but don't have a project yet.
3.	Get sponsoring for breakfast, soft drinks, snacks etc. It's easy
since all the software companies want to sponsor. We had to reject a
handful of sponsoring offers!
4.	Get a venue with office tables and a decent wireless network. We
cooperated with academia who provided us with a place free of charge.
5.	Start the hackathon with a "stand up" where everybody gets to
introduce themselves and their project during ~20 seconds.
6.	Hack away. Have breakout sessions with talks or workshops.
Socialize. Tell non-chapter members about OWASP.
7.	End with a round of summaries or demos of what people have done.

Please let me know if you try this out or if you already are running


   Kind regards, John



PS.  I won't be attending the AppSec US in Irvine :(. Too busy and no
funding. Hope you all have a great time!  DS.


PPS.  Swedish blog entry with pictures from the Community Hack: 
http://owaspsweden.blogspot.com/2010/09/cmtyhack-ii-ar-over.html .  DS.

John Wilander
Chapter leader OWASP Sweden, http://owaspsweden.blogspot.com
Conference chair OWASP AppSec Research 2010, http://owasp.se

Virtusa was recently ranked and featured in 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100 sub-list, 2009 Deloitte Technology Fast 500 and 2009 Dataquest-IDC Best Employers Survey among others.


This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is intended for the addressee only. Any unauthorized disclosure, use, dissemination, copying, or distribution of this message or any of its attachments or the information contained in this e-mail, or the taking of any action based on it, is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail and delete this message.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100907/29e000e3/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1397 bytes
Desc: image001.jpg
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100907/29e000e3/attachment-0001.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 744 bytes
Desc: image002.gif
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100907/29e000e3/attachment-0004.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1211 bytes
Desc: image003.gif
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100907/29e000e3/attachment-0005.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 789 bytes
Desc: image004.gif
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100907/29e000e3/attachment-0006.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 763 bytes
Desc: image005.gif
Url : https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100907/29e000e3/attachment-0007.gif 

More information about the OWASP-Leaders mailing list