[Owasp-leaders] The Gap Between OWASP and Developers

John Steven John.Steven at owasp.org
Wed Feb 23 09:23:05 EST 2011


Comment in line.

On Wed, Feb 23, 2011 at 2:56 PM, Eoin <eoin.keary at owasp.org> wrote:
> Hi John,
> may I humbly respond to your observations below?

It would appear so, and effectively.

>> ----
>> There is no formal conduit through which the participation of
>> commercial entities and their employees feel comfortable contributing
>> while protecting their organization's privacy, intellectual property,
>> and employment.
>> ----
>>
> EK - this is where the industry committee come in in some ways. It needs to
> start briding the gap between OWASP and "the world".
> We have elected an industry committee chair (Joe Bernik) who is not a vendor
> which is a great start and something I support and have been preaching into
> an echo chamber for the past year. This should ( I hope) start to get the
> ball moving and give OWASP a chance to connect with the non
> vendor/consultant community. Joe's insight into such issues should help
> understand the challenge better and even get some stuff done rather than
> talking about it!

This is where the Industry committee _should_ come in. You and I
discussed this during your board run (as you mentioned), at least
obliquely. I think we're of similar mind on the issue. However, I
think we can safely say that, to date, the industry committee has not
successfully alleviated the problem.  This doesn't mean that the
committee won't change course or increase speed or otherwise become
effective and I think Joe may be a good guy to operate the helm.

> EK - I am happy to volunteer or at least help but I'm from the "evil" board,
> I don't know if this is an issue or not?
> The reason I went for the board elections 14 months ago was to try and fix
> the industry link issue you Jeremiah and I are talking about. I am so glad
> we are getting to this point and clever guys like u and J see this problem.
> I dont know about you but I am tired of talking security with security folk,
> preaching to the choir when the real problem continues to grow.

I think this is one issue on which we have to "talk amongst
ourselves": we've got an existing barrier to involving more
non-security folk. Though, that isn't to say that industry and dev
can't help us overcome this issue. But, unless we agree as a community
that  a framework for safe participation is necessary and actually
build/socialize it, we won't get the leverage and bi-directional
involvement we're all craving in our "Developers vs. Security"
discussions. This issue _is_ important for us security guys to agree
on because any functioning framework must have compulsory elements to
it, to protect privacy/IP/etc. of participants. That represents a
culture shift for some aspects of OWASP (though I don't think the
whole culture need be affected -- this list's NDA thread was
particularly illuminating as a misstep, IMO). And, frankly, from what
I heard of Dinis and Jeff's "open radically transparent platform"
commentary during the governance discussions, this _is_ a stretch for
OWASP. As in athletics, stretching has benefits but can cause injury
itself if underestimated.

-jOHN


More information about the OWASP-Leaders mailing list