[Owasp-leaders] The Gap Between OWASP and Developers

John Wilander john.wilander at owasp.org
Tue Feb 15 05:39:46 EST 2011

Hi Leaders!

(New email thread to get the subject right)

The recent 30+ message discussion in the aftermath of Dinis quitting the
board shows the gap between OWASP and developers. That discussion _is_ the
gap showing itself.

All of 2010 I worked as a full-time developer on a login+payment+online
subscription system. We were a team of four developers and one pm, and had
hooks to many other dev teams such as webcasts, mobile apps, social media
etc. Application security is right in there, entangled with testing,
debugging, customer support, framework patching, SSL certs, performance
tuning, third party apps etc. Working exclusively with security was not an
option. Appsec activities were handled just like the rest of the backlog.

Those developers were interested in security but they also saw the full
picture and had a tight relation with business developers. If I had an idea
or a concern I had to work with the organization and make appsec fit in with
the huge and complex world of web and business development.

But you know what? We made a real difference. Third party vendors shivered.
New protections were shipped. Security testing was enhanced. And some good
technology choices were made. Just imagine my joy when I could demo the
wonders of Burp Suite and we all realized this was an excellent tool not
just for pentesting but for webapp testing in general.

OWASP needs to enter this world. The potential impact of our knowledge is
huge. To do this we need to bridge the gap. Developers believe in other
developers and working code. If we prove ourselves there they are all ears.

I'm pushing for two developers on the board. With them we'll have all this
knowledge available when we make our top decisions. We will have instincts
telling us what will work and what will not. We will have top people both
interested and knowledgeable in the IT sector we so dearly want to have an
impact in.

So far nobody has convinces me it's a bad idea.

   Regards, John

John Wilander, https://twitter.com/johnwilander
Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
<http://owaspsweden.blogspot.com>Co-organizer Global Summit,
<http://www.owasp.org/index.php/Summit_2011>Conf Comm,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110215/f4ae09bc/attachment-0001.html 

More information about the OWASP-Leaders mailing list