[Owasp-leaders] The Gap Between OWASP and Developers

Tony UV tonyuv at owasp.org
Wed Feb 23 10:44:28 EST 2011

I'll echo the appointment of Joe as a good first step.  I'll also echo my
thoughts on statements I made during the GIC meeting and say that we need to
bring OWASP to the industry. What this means is that OWASP needs to make
house calls - not as the standard model but as an auxiliary model to what we
do. In reality, this places a lot of innovative responsibility to Chapter
Leads to create events that take place in the comforts of a Fortune 500
organizations <replace Fortune 500 w/ any term that is relevant to you
within your country>.  The 'gap' problem is attributed to many reasons, one
key one being simply that OWASP still has a marketing problem in reaching
dev shops in large organizations.  Developers simply are not aware fully of
who we are.  Where they have heard of OWASP is the inside security person
that reference's OWASP in conversation to them and it remains there, over
time the term OWASP will get lost in the developer's limited security
vernacular along with other acronyms such as PCI, HIPAA, OSSTM, ISO, etc
(btw - I'm not equating OWASP to any of these other acronyms, so put the pen
down).  Many will agree that we continue to have an awareness issue and I
think that we need to start there.  We also have a "interested, but not that
interested that I want to attend a meeting/ event/ conference" mentality
from developers at these organizations, hence the reason to bring OWASP
events to them.  I recognize that this brings forth the issue of NDAs but
that can be avoided by us speaking to them on OWASP supplied material.  The
material and content provided will vary based upon the aptitude and maturity
level of security within these respective development shops.  Some will
respond well to hands on 'workshops' of using proper whitelisting
techniques, strong type declarations, etc while others may be blown away
simply going through WebGoat (the intent here with this last statement is to
define a broad spectrum of content that fits the maturity of secure coding
practices by the developer, so please don't isolate comments to the former
or latter examples).  


We have tried bringing OWASP to corporations in Atlanta  (non-security
vendors) and it has been a growing success.  The track record is short (a
few months) and the initial win of positive feedback is far from final
trophy. Ultimately, each battle of increasing awareness is aimed at
increasing adoption (downloads and use of OWASP tools, references, etc) and
participation from developers in these areas.  Security will always (and
should) be second to their functional psyche but the hope is to get them to
differentiate OWASP from the other acronyms as something that is integrated
into their SDLC.  Reaching out to these developers in these organizations is
going to be a process where we will not be satisfied with a positive
reaction and attendance to an opening meeting within their own environment.
We want them to come out to our chapter meetings ultimately and we want to
hear that they are using one tool or set of references as they code their
products.  I have a chapter leader that is charged with partnerships and
they will serve as 'account managers' to these organizations where he simply
does an email ping to see if we can facilitate any questions on any of the
material and gauge adoption on a periodic basis.  All of this may or may not
be crafted into a formal methodology, rule set, procedure on a wiki page or
maybe it could be but ultimately, we need to consider these and many other
options to create greater awareness within these development communities.
We also added Cisco as a technology partner so some of our chapter meetings
will become virtualized in order that these developers can attend lectures
from the comforts of their own PC.  


I'll voice this tomorrow in our call, but I welcome comments, particularly
those that don't take any of the aforementioned out of context.  



Tony UcedaVelez, CISM, CISA, GSEC

Chapter Lead

OWASP Atlanta


Twitter: @versprite


From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Eoin
Sent: Wednesday, February 23, 2011 8:56 AM
To: Feel free to browse the archives.
Cc: Joe Bernik; John Steven; Jeremiah Grossman
Subject: Re: [Owasp-leaders] The Gap Between OWASP and Developers


Hi John,

may I humbly respond to your observations below?

On 23 February 2011 12:31, John Steven <John.Steven at owasp.org> wrote:


Prior to the first OWASP summit, I suggested to Dinis we needed to
make a change like Jeremiah describes. He agreed and suggested he'd
help fund anyone who I could convince to come. I actively lobbied my
clients to no avail. Since the first summit, we've all heard several
well-respected members of the OWASP community--who are not
vendors--lament how difficult it is for them to contribute. The
situation faced remains what it was and is simply:

There is no formal conduit through which the participation of
commercial entities and their employees feel comfortable contributing
while protecting their organization's privacy, intellectual property,
and employment.

EK - this is where the industry committee come in in some ways. It needs to
start briding the gap between OWASP and "the world".

We have elected an industry committee chair (Joe Bernik) who is not a vendor
which is a great start and something I support and have been preaching into
an echo chamber for the past year. This should ( I hope) start to get the
ball moving and give OWASP a chance to connect with the non
vendor/consultant community. Joe's insight into such issues should help
understand the challenge better and even get some stuff done rather than
talking about it! 



Some organizations and their employees can participate without such a
formal conduit, and that's great. Others will not be able to. I
imagine we want to actively include those who are currently precluded,
even in a first such attempt at outreach for greater involvement.
Something Joe, Tom, and other representatives from commercial entities
and I have talked about is establishing some 'ground rules' for
working with these reluctant organizations. Ground rules would need to
address the issues I described in the breakout above.

Failing to make progress on this issue is likely going to cause the
same deja vu feeling in the broader leader's list that it's doing for
me now. I think this is a 'non-starter' situation.

If someone from the Industry committee is willing to take lead on this
effort and produce a draft, I'd be happy to push it to my contacts in
industry and act as intermediary so that they could anonymously
improve it for our use.


EK - I am happy to volunteer or at least help but I'm from the "evil" board,
I don't know if this is an issue or not?

The reason I went for the board elections 14 months ago was to try and fix
the industry link issue you Jeremiah and I are talking about. I am so glad
we are getting to this point and clever guys like u and J see this problem.
I dont know about you but I am tired of talking security with security folk,
preaching to the choir when the real problem continues to grow.


On Fri, Feb 18, 2011 at 8:08 PM, Tom Brennan <tomb at owasp.org> wrote:
> That is the plan of the industry committee for those that missed that
mission and goal - Joe's got the ball and running with that with the team of
global industry committee
> The board nominations can take place as soon as April with election 3
months after the candidates are locked in. As we did in 2009 the candidates
need to have a "why me" document write up so that member voters can elect a
volunteer leader.
> So if you are reading this and you are a owasp member and leader/committee
member you are eligible to be nominated as a candidate, then the election
will happen and the 2 year term will start in January.
> I will be leading this effort with the assistance of Dan Cornell and the
rest of the Global Membership Committee like we did in 2009
> Brennan
> 9732020122
> Tom Brennan
> OWASP Foundation
> 973-202-0122
> -----Original Message-----
> From: Andre Gironda <andreg at gmail.com>
> Sender: owasp-leaders-bounces at lists.owasp.org
> Date: Fri, 18 Feb 2011 11:51:50
> To: <owasp-leaders at lists.owasp.org>
> Reply-To: "Feel free to browse the archives."
<owasp-leaders at lists.owasp.org>
> Cc: Jeremiah Grossman<jeremiah at whitehatsec.com>
> Subject: Re: [Owasp-leaders] The Gap Between OWASP and Developers
> On Fri, Feb 18, 2011 at 11:29 AM, Jim Manico <jim.manico at owasp.org> wrote:
>> I'm passing on a message from Jeremiah Grossman on
vendor/OWASP/enterprise relations. Insightful comments - especially coming
from a vendor. ;)
>> I'm really happy to see Joe Bernik (CISO at Fifth Third Bank) stepping up
as the Industry Committee chair. I think this fits into both Jeremiah's
vision and OWASP's mission very well.
>> Aloha,
>> Jim
> Thanks for this, Jim. I absolutely agree with Jeremiah on this issue
> and he put it very eloquently:
> "Imagine having CSOs from major eCommerce, financial services,
> healthcare, etc. organizations stacking the OWASP board"
> I think this is the BEST idea to ever come from Jeremiah, and the only
> thing I would add to it would be, "as long as WhiteHat Security
> customers are only represented as a minority and not a majority". ;>
> If vendors are recommending that their most-faithful of customers
> become the leadership instead of the vendors themselves -- we could
> end up in a much worse situation than we are already in with regards
> to promoting the believability of our appsec expertise (as well as
> actually having any real experience or direction to put forward to the
> industry).
> -Andre
>> ****
>> OWASP Leaders,
>> Want to know what scares enterprises, and by extension developers, away
from OWASP more than anything else? Us. That is, us vendors.
>> They look at who makes up the global board. 100% vendors, of one
particular ilk. They look at who sponsors, the Summit or in general, nearly
all vendors. They see who gives the presentations. Right, essentially all
vendors. I wouldn't be surprised if OWASP's paid-for user membership wasn't
also lopsided by vendors. This doesn't leave much room for the enterprise
representatives to assume key roles and influence the direction of the
organization as they should be afforded.
>> In the beginning days of OWASP, and the webappsec industry collectively,
vendors building up OWASP was absolutely essential. Many of us, myself
included, originally came from the enterprise because we saw a real (appsec)
problem that needed to be solved and we had to organize and evangelize as
vendors -- so we did. We paved the way and should be proud of that. Today
though we must recognize that it is no longer 2001, it is 2011 are many
organizations as a result have heavily invested in their application
security programs. They have much knowledge to share with their peers.
>> Imagine having CSOs from major eCommerce, financial services, healthcare,
etc. organizations stacking the OWASP board. That would speak volumes to
their peers, who it is always said need to be more included in OWASP.
Enterprises on the OWASP board would hugely encourage other organizations to
similarly invest in their application security programs and get actively
involved in the community. In my opinion, just adding "developers" doesn't
go far enough, and wouldn't influence nearly enough.
>> Personally, when nominations open, these are the candidates I'd encourage
looking and voting for. Time for the enterprises to lead and choose their
own destiny.
>> Regards,
>> Jeremiah Grossman
>> Chief Technology Officer
>> WhiteHat Security, Inc.
>> http://www.whitehatsec.com/
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

Sent from my i-Transmogrifier

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110223/56098308/attachment-0001.html 

More information about the OWASP-Leaders mailing list