[Owasp-leaders] The Gap Between OWASP and Developers

Mark Bristow mark.bristow at owasp.org
Tue Feb 15 08:25:03 EST 2011


Should be noted.....

I held a session on Developer Outreach at the summit, 5 people came.....

This is obviously an area we need to enhance our focus/resources in.

On Tue, Feb 15, 2011 at 8:20 AM, Eoin <eoin.keary at owasp.org> wrote:

> Nice Dinis, Nice, Now thats a thought!!!!
> Developer outreach........
>
> On 15 February 2011 12:15, dinis cruz <dinis.cruz at owasp.org> wrote:
>
>>  Maybe we need a "Developer's Committee"?
>>
>> Dinis Cruz
>>
>> On 15 Feb 2011, at 11:56, Eoin <eoin.keary at owasp.org> wrote:
>>
>>   Hi John,
>>
>> Understand your idea.....
>>
>> I'd take it further and empower the committees with this idea.
>> As mentioned before the power of OWASP is within the committees not the
>> board in terms of strategic direction, the board only intervenes when
>> required/requested.
>>
>> For example the Industry committees are aimed at listening to industry to
>> make OWASP more relevant, focused on real issues and to try to develop
>> solutions the real world wants and needs. We have Jim Manico and Justin
>> Clarke & Jerry Hoff (I think?) as new members of the industry committee
>> along with myself I believe we have enough developer know how in order to
>> understand concepts at a deep level.
>>
>> In this case a developer/architect/technical person is required to dive
>> into the issues once the high level concerns are understood.
>> This goes the same for the GPC, if we want release quality tools and
>> documents we need skilled developers/technical people, which we have to
>> assist and lead projects over the finish line.
>>
>> The developer also needs to have a mature understanding of risk. A
>> business only cares if a technical vulnerability can manifest into a real
>> risk to the business, there is a business context here which is very
>> important.
>>
>>
>> How do you recognise an individual as a developer?
>> I write code daily for example, be it Proof of concepts, exploits &
>> scripts in Java, Perl, .NET etc so am I a developer? My "current" title in
>> industry is "Senior Manager"  I also was a lead developer for a number of
>> banks and telecoms companies in the last 12 years, so am I a developer? This
>> goes the same for many other board members, some people have multiple skills
>> and can not be put into one box.
>>
>> .......and the thread goes on!!
>>
>> Eoin
>>
>>
>>
>> On 15 February 2011 10:39, John Wilander < <john.wilander at owasp.org>
>> john.wilander at owasp.org> wrote:
>>
>>> Hi Leaders!
>>>
>>> (New email thread to get the subject right)
>>>
>>> The recent 30+ message discussion in the aftermath of Dinis quitting the
>>> board shows the gap between OWASP and developers. That discussion _is_ the
>>> gap showing itself.
>>>
>>> All of 2010 I worked as a full-time developer on a login+payment+online
>>> subscription system. We were a team of four developers and one pm, and had
>>> hooks to many other dev teams such as webcasts, mobile apps, social media
>>> etc. Application security is right in there, entangled with testing,
>>> debugging, customer support, framework patching, SSL certs, performance
>>> tuning, third party apps etc. Working exclusively with security was not an
>>> option. Appsec activities were handled just like the rest of the backlog.
>>>
>>> Those developers were interested in security but they also saw the full
>>> picture and had a tight relation with business developers. If I had an idea
>>> or a concern I had to work with the organization and make appsec fit in with
>>> the huge and complex world of web and business development.
>>>
>>> But you know what? We made a real difference. Third party vendors
>>> shivered. New protections were shipped. Security testing was enhanced. And
>>> some good technology choices were made. Just imagine my joy when I could
>>> demo the wonders of Burp Suite and we all realized this was an excellent
>>> tool not just for pentesting but for webapp testing in general.
>>>
>>> OWASP needs to enter this world. The potential impact of our knowledge is
>>> huge. To do this we need to bridge the gap. Developers believe in other
>>> developers and working code. If we prove ourselves there they are all ears.
>>>
>>> I'm pushing for two developers on the board. With them we'll have all
>>> this knowledge available when we make our top decisions. We will have
>>> instincts telling us what will work and what will not. We will have top
>>> people both interested and knowledgeable in the IT sector we so dearly want
>>> to have an impact in.
>>>
>>> So far nobody has convinces me it's a bad idea.
>>>
>>>    Regards, John
>>>
>>> --
>>> John Wilander, <https://twitter.com/johnwilander>
>>> https://twitter.com/johnwilander
>>> Chapter co-leader OWASP Sweden, <http://owaspsweden.blogspot.com/>
>>> http://owaspsweden.blogspot.com
>>> <http://owaspsweden.blogspot.com/>Co-organizer Global Summit, <http://www.owasp.org/index.php/Summit_2011>
>>> http://www.owasp.org/index.php/Summit_2011
>>>  <http://www.owasp.org/index.php/Summit_2011>Conf Comm, <http://www.owasp.org/index.php/Global_Conferences_Committee>
>>> http://www.owasp.org/index.php/Global_Conferences_Committee
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> <OWASP-Leaders at lists.owasp.org>OWASP-Leaders at lists.owasp.org
>>>  <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>>
>> --
>> Eoin Keary
>> OWASP Global Board Member
>> OWASP Code Review Guide Lead Author
>>
>> Sent from my i-Transmogrifier
>> <http://asg.ie/>http://asg.ie/
>>  <https://twitter.com/EoinKeary>https://twitter.com/EoinKeary
>>
>>  _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> --
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
>
> Sent from my i-Transmogrifier
> http://asg.ie/
> https://twitter.com/EoinKeary
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
Mark Bristow
(703) 596-5175
mark.bristow at owasp.org

OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
AppSec DC Organizer - https://www.appsecdc.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110215/9176618a/attachment.html 


More information about the OWASP-Leaders mailing list