[Owasp-leaders] The Gap Between OWASP and Developers

Eoin eoin.keary at owasp.org
Tue Feb 15 08:20:12 EST 2011


Nice Dinis, Nice, Now thats a thought!!!!
Developer outreach........

On 15 February 2011 12:15, dinis cruz <dinis.cruz at owasp.org> wrote:

>  Maybe we need a "Developer's Committee"?
>
> Dinis Cruz
>
> On 15 Feb 2011, at 11:56, Eoin <eoin.keary at owasp.org> wrote:
>
>   Hi John,
>
> Understand your idea.....
>
> I'd take it further and empower the committees with this idea.
> As mentioned before the power of OWASP is within the committees not the
> board in terms of strategic direction, the board only intervenes when
> required/requested.
>
> For example the Industry committees are aimed at listening to industry to
> make OWASP more relevant, focused on real issues and to try to develop
> solutions the real world wants and needs. We have Jim Manico and Justin
> Clarke & Jerry Hoff (I think?) as new members of the industry committee
> along with myself I believe we have enough developer know how in order to
> understand concepts at a deep level.
>
> In this case a developer/architect/technical person is required to dive
> into the issues once the high level concerns are understood.
> This goes the same for the GPC, if we want release quality tools and
> documents we need skilled developers/technical people, which we have to
> assist and lead projects over the finish line.
>
> The developer also needs to have a mature understanding of risk. A business
> only cares if a technical vulnerability can manifest into a real risk to the
> business, there is a business context here which is very important.
>
>
> How do you recognise an individual as a developer?
> I write code daily for example, be it Proof of concepts, exploits & scripts
> in Java, Perl, .NET etc so am I a developer? My "current" title in industry
> is "Senior Manager"  I also was a lead developer for a number of banks and
> telecoms companies in the last 12 years, so am I a developer? This goes the
> same for many other board members, some people have multiple skills and can
> not be put into one box.
>
> .......and the thread goes on!!
>
> Eoin
>
>
>
> On 15 February 2011 10:39, John Wilander <john.wilander at owasp.org> wrote:
>
>> Hi Leaders!
>>
>> (New email thread to get the subject right)
>>
>> The recent 30+ message discussion in the aftermath of Dinis quitting the
>> board shows the gap between OWASP and developers. That discussion _is_ the
>> gap showing itself.
>>
>> All of 2010 I worked as a full-time developer on a login+payment+online
>> subscription system. We were a team of four developers and one pm, and had
>> hooks to many other dev teams such as webcasts, mobile apps, social media
>> etc. Application security is right in there, entangled with testing,
>> debugging, customer support, framework patching, SSL certs, performance
>> tuning, third party apps etc. Working exclusively with security was not an
>> option. Appsec activities were handled just like the rest of the backlog.
>>
>> Those developers were interested in security but they also saw the full
>> picture and had a tight relation with business developers. If I had an idea
>> or a concern I had to work with the organization and make appsec fit in with
>> the huge and complex world of web and business development.
>>
>> But you know what? We made a real difference. Third party vendors
>> shivered. New protections were shipped. Security testing was enhanced. And
>> some good technology choices were made. Just imagine my joy when I could
>> demo the wonders of Burp Suite and we all realized this was an excellent
>> tool not just for pentesting but for webapp testing in general.
>>
>> OWASP needs to enter this world. The potential impact of our knowledge is
>> huge. To do this we need to bridge the gap. Developers believe in other
>> developers and working code. If we prove ourselves there they are all ears.
>>
>> I'm pushing for two developers on the board. With them we'll have all this
>> knowledge available when we make our top decisions. We will have instincts
>> telling us what will work and what will not. We will have top people both
>> interested and knowledgeable in the IT sector we so dearly want to have an
>> impact in.
>>
>> So far nobody has convinces me it's a bad idea.
>>
>>    Regards, John
>>
>> --
>> John Wilander, https://twitter.com/johnwilander
>> Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
>> <http://owaspsweden.blogspot.com/>Co-organizer Global Summit,
>> http://www.owasp.org/index.php/Summit_2011
>>  <http://www.owasp.org/index.php/Summit_2011>Conf Comm,
>> http://www.owasp.org/index.php/Global_Conferences_Committee
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> --
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
>
> Sent from my i-Transmogrifier
> http://asg.ie/
> https://twitter.com/EoinKeary
>
>  _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

Sent from my i-Transmogrifier
http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110215/71a0dcfd/attachment-0001.html 


More information about the OWASP-Leaders mailing list