[Owasp-leaders] The Gap Between OWASP and Developers

Martin Knobloch martin.knobloch at owasp.org
Tue Feb 15 08:31:58 EST 2011


As we have an University Outreach, too. Maybe we could join 'outreach
efforts' to see prevent inventing the wheel over again.
Of course, the outreach targets are different, but we can learn form each
others lessons.
Also, we can reach developers early at universities, right!

Cheers,
~Martin

On Tue, Feb 15, 2011 at 2:25 PM, Mark Bristow <mark.bristow at owasp.org>wrote:

> Should be noted.....
>
> I held a session on Developer Outreach at the summit, 5 people came.....
>
> This is obviously an area we need to enhance our focus/resources in.
>
>
> On Tue, Feb 15, 2011 at 8:20 AM, Eoin <eoin.keary at owasp.org> wrote:
>
>> Nice Dinis, Nice, Now thats a thought!!!!
>> Developer outreach........
>>
>> On 15 February 2011 12:15, dinis cruz <dinis.cruz at owasp.org> wrote:
>>
>>>  Maybe we need a "Developer's Committee"?
>>>
>>> Dinis Cruz
>>>
>>> On 15 Feb 2011, at 11:56, Eoin <eoin.keary at owasp.org> wrote:
>>>
>>>   Hi John,
>>>
>>> Understand your idea.....
>>>
>>> I'd take it further and empower the committees with this idea.
>>> As mentioned before the power of OWASP is within the committees not the
>>> board in terms of strategic direction, the board only intervenes when
>>> required/requested.
>>>
>>> For example the Industry committees are aimed at listening to industry to
>>> make OWASP more relevant, focused on real issues and to try to develop
>>> solutions the real world wants and needs. We have Jim Manico and Justin
>>> Clarke & Jerry Hoff (I think?) as new members of the industry committee
>>> along with myself I believe we have enough developer know how in order to
>>> understand concepts at a deep level.
>>>
>>> In this case a developer/architect/technical person is required to dive
>>> into the issues once the high level concerns are understood.
>>> This goes the same for the GPC, if we want release quality tools and
>>> documents we need skilled developers/technical people, which we have to
>>> assist and lead projects over the finish line.
>>>
>>> The developer also needs to have a mature understanding of risk. A
>>> business only cares if a technical vulnerability can manifest into a real
>>> risk to the business, there is a business context here which is very
>>> important.
>>>
>>>
>>> How do you recognise an individual as a developer?
>>> I write code daily for example, be it Proof of concepts, exploits &
>>> scripts in Java, Perl, .NET etc so am I a developer? My "current" title in
>>> industry is "Senior Manager"  I also was a lead developer for a number of
>>> banks and telecoms companies in the last 12 years, so am I a developer? This
>>> goes the same for many other board members, some people have multiple skills
>>> and can not be put into one box.
>>>
>>> .......and the thread goes on!!
>>>
>>> Eoin
>>>
>>>
>>>
>>> On 15 February 2011 10:39, John Wilander < <john.wilander at owasp.org>
>>> john.wilander at owasp.org> wrote:
>>>
>>>> Hi Leaders!
>>>>
>>>> (New email thread to get the subject right)
>>>>
>>>> The recent 30+ message discussion in the aftermath of Dinis quitting the
>>>> board shows the gap between OWASP and developers. That discussion _is_ the
>>>> gap showing itself.
>>>>
>>>> All of 2010 I worked as a full-time developer on a login+payment+online
>>>> subscription system. We were a team of four developers and one pm, and had
>>>> hooks to many other dev teams such as webcasts, mobile apps, social media
>>>> etc. Application security is right in there, entangled with testing,
>>>> debugging, customer support, framework patching, SSL certs, performance
>>>> tuning, third party apps etc. Working exclusively with security was not an
>>>> option. Appsec activities were handled just like the rest of the backlog.
>>>>
>>>> Those developers were interested in security but they also saw the full
>>>> picture and had a tight relation with business developers. If I had an idea
>>>> or a concern I had to work with the organization and make appsec fit in with
>>>> the huge and complex world of web and business development.
>>>>
>>>> But you know what? We made a real difference. Third party vendors
>>>> shivered. New protections were shipped. Security testing was enhanced. And
>>>> some good technology choices were made. Just imagine my joy when I could
>>>> demo the wonders of Burp Suite and we all realized this was an excellent
>>>> tool not just for pentesting but for webapp testing in general.
>>>>
>>>> OWASP needs to enter this world. The potential impact of our knowledge
>>>> is huge. To do this we need to bridge the gap. Developers believe in other
>>>> developers and working code. If we prove ourselves there they are all ears.
>>>>
>>>> I'm pushing for two developers on the board. With them we'll have all
>>>> this knowledge available when we make our top decisions. We will have
>>>> instincts telling us what will work and what will not. We will have top
>>>> people both interested and knowledgeable in the IT sector we so dearly want
>>>> to have an impact in.
>>>>
>>>> So far nobody has convinces me it's a bad idea.
>>>>
>>>>    Regards, John
>>>>
>>>> --
>>>> John Wilander, <https://twitter.com/johnwilander>
>>>> https://twitter.com/johnwilander
>>>> Chapter co-leader OWASP Sweden, <http://owaspsweden.blogspot.com/>
>>>> http://owaspsweden.blogspot.com
>>>> <http://owaspsweden.blogspot.com/>Co-organizer Global Summit, <http://www.owasp.org/index.php/Summit_2011>
>>>> http://www.owasp.org/index.php/Summit_2011
>>>>  <http://www.owasp.org/index.php/Summit_2011>Conf Comm, <http://www.owasp.org/index.php/Global_Conferences_Committee>
>>>> http://www.owasp.org/index.php/Global_Conferences_Committee
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> <OWASP-Leaders at lists.owasp.org>OWASP-Leaders at lists.owasp.org
>>>>  <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>>
>>> --
>>> Eoin Keary
>>> OWASP Global Board Member
>>> OWASP Code Review Guide Lead Author
>>>
>>> Sent from my i-Transmogrifier
>>> <http://asg.ie/>http://asg.ie/
>>>  <https://twitter.com/EoinKeary>https://twitter.com/EoinKeary
>>>
>>>  _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>>
>> --
>> Eoin Keary
>> OWASP Global Board Member
>> OWASP Code Review Guide Lead Author
>>
>> Sent from my i-Transmogrifier
>> http://asg.ie/
>> https://twitter.com/EoinKeary
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> --
> Mark Bristow
> (703) 596-5175
> mark.bristow at owasp.org
>
> OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
> OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
> AppSec DC Organizer - https://www.appsecdc.org
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110215/7346a70f/attachment-0001.html 


More information about the OWASP-Leaders mailing list