[Owasp-leaders] The Gap Between OWASP and Developers

Eoin eoin.keary at owasp.org
Tue Feb 15 06:55:38 EST 2011


Hi John,

Understand your idea.....

I'd take it further and empower the committees with this idea.
As mentioned before the power of OWASP is within the committees not the
board in terms of strategic direction, the board only intervenes when
required/requested.

For example the Industry committees are aimed at listening to industry to
make OWASP more relevant, focused on real issues and to try to develop
solutions the real world wants and needs. We have Jim Manico and Justin
Clarke & Jerry Hoff (I think?) as new members of the industry committee
along with myself I believe we have enough developer know how in order to
understand concepts at a deep level.

In this case a developer/architect/technical person is required to dive into
the issues once the high level concerns are understood.
This goes the same for the GPC, if we want release quality tools and
documents we need skilled developers/technical people, which we have to
assist and lead projects over the finish line.

The developer also needs to have a mature understanding of risk. A business
only cares if a technical vulnerability can manifest into a real risk to the
business, there is a business context here which is very important.


How do you recognise an individual as a developer?
I write code daily for example, be it Proof of concepts, exploits & scripts
in Java, Perl, .NET etc so am I a developer? My "current" title in industry
is "Senior Manager"  I also was a lead developer for a number of banks and
telecoms companies in the last 12 years, so am I a developer? This goes the
same for many other board members, some people have multiple skills and can
not be put into one box.

.......and the thread goes on!!

Eoin



On 15 February 2011 10:39, John Wilander <john.wilander at owasp.org> wrote:

> Hi Leaders!
>
> (New email thread to get the subject right)
>
> The recent 30+ message discussion in the aftermath of Dinis quitting the
> board shows the gap between OWASP and developers. That discussion _is_ the
> gap showing itself.
>
> All of 2010 I worked as a full-time developer on a login+payment+online
> subscription system. We were a team of four developers and one pm, and had
> hooks to many other dev teams such as webcasts, mobile apps, social media
> etc. Application security is right in there, entangled with testing,
> debugging, customer support, framework patching, SSL certs, performance
> tuning, third party apps etc. Working exclusively with security was not an
> option. Appsec activities were handled just like the rest of the backlog.
>
> Those developers were interested in security but they also saw the full
> picture and had a tight relation with business developers. If I had an idea
> or a concern I had to work with the organization and make appsec fit in with
> the huge and complex world of web and business development.
>
> But you know what? We made a real difference. Third party vendors shivered.
> New protections were shipped. Security testing was enhanced. And some good
> technology choices were made. Just imagine my joy when I could demo the
> wonders of Burp Suite and we all realized this was an excellent tool not
> just for pentesting but for webapp testing in general.
>
> OWASP needs to enter this world. The potential impact of our knowledge is
> huge. To do this we need to bridge the gap. Developers believe in other
> developers and working code. If we prove ourselves there they are all ears.
>
> I'm pushing for two developers on the board. With them we'll have all this
> knowledge available when we make our top decisions. We will have instincts
> telling us what will work and what will not. We will have top people both
> interested and knowledgeable in the IT sector we so dearly want to have an
> impact in.
>
> So far nobody has convinces me it's a bad idea.
>
>    Regards, John
>
> --
> John Wilander, https://twitter.com/johnwilander
> Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
> <http://owaspsweden.blogspot.com/>Co-organizer Global Summit,
> http://www.owasp.org/index.php/Summit_2011
>  <http://www.owasp.org/index.php/Summit_2011>Conf Comm,
> http://www.owasp.org/index.php/Global_Conferences_Committee
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

Sent from my i-Transmogrifier
http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110215/91ea1dd7/attachment.html 


More information about the OWASP-Leaders mailing list