[Owasp-leaders] The Gap Between OWASP and Developers

James McGovern JMcGovern at virtusa.com
Wed Feb 23 16:43:51 EST 2011

I would like to refine Tony's comment slightly. I am of the belief that
reaching developers in large organizations is relatively easy. The
challenge in getting them to take interest is the simple fact that
developers in the United States in many large shops aren't really doing
development any more. Many developers are simply cogs in the process
known as outsourcing. They move code around, checking things in and out,
making sure things compile, etc. While this doesn't hold true for all
shops, I do believe as a trend this will increase.


The bigger challenge is not in reaching developers in large shops, but
in small ones. It is very easy for us to figure out the large employers
in our area, find an employee that works there and encourage them to
forward an invite. The challenge I see is in identifying all the IT
shops even within my own chapter coverage that has say between 2
developers and 100. These guys are also more important for another
reason, in that they are probably doing less customization of commercial
software and probably writing a lot more software from scratch. 


James McGovern


From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Tony UV
Sent: Wednesday, February 23, 2011 10:44 AM
To: 'Feel free to browse the archives.'
Cc: 'Joe Bernik'; 'John Steven'; 'Cassio Goldschmidt'; 'Anurag Agarwal';
'Jeremiah Grossman'
Subject: Re: [Owasp-leaders] The Gap Between OWASP and Developers


I'll echo the appointment of Joe as a good first step.  I'll also echo
my thoughts on statements I made during the GIC meeting and say that we
need to bring OWASP to the industry. What this means is that OWASP needs
to make house calls - not as the standard model but as an auxiliary
model to what we do. In reality, this places a lot of innovative
responsibility to Chapter Leads to create events that take place in the
comforts of a Fortune 500 organizations <replace Fortune 500 w/ any term
that is relevant to you within your country>.  The 'gap' problem is
attributed to many reasons, one key one being simply that OWASP still
has a marketing problem in reaching dev shops in large organizations.
Developers simply are not aware fully of who we are.  Where they have
heard of OWASP is the inside security person that reference's OWASP in
conversation to them and it remains there, over time the term OWASP will
get lost in the developer's limited security vernacular along with other
acronyms such as PCI, HIPAA, OSSTM, ISO, etc (btw - I'm not equating
OWASP to any of these other acronyms, so put the pen down).  Many will
agree that we continue to have an awareness issue and I think that we
need to start there.  We also have a "interested, but not that
interested that I want to attend a meeting/ event/ conference" mentality
from developers at these organizations, hence the reason to bring OWASP
events to them.  I recognize that this brings forth the issue of NDAs
but that can be avoided by us speaking to them on OWASP supplied
material.  The material and content provided will vary based upon the
aptitude and maturity level of security within these respective
development shops.  Some will respond well to hands on 'workshops' of
using proper whitelisting techniques, strong type declarations, etc
while others may be blown away simply going through WebGoat (the intent
here with this last statement is to define a broad spectrum of content
that fits the maturity of secure coding practices by the developer, so
please don't isolate comments to the former or latter examples).  


We have tried bringing OWASP to corporations in Atlanta  (non-security
vendors) and it has been a growing success.  The track record is short
(a few months) and the initial win of positive feedback is far from
final trophy. Ultimately, each battle of increasing awareness is aimed
at increasing adoption (downloads and use of OWASP tools, references,
etc) and participation from developers in these areas.  Security will
always (and should) be second to their functional psyche but the hope is
to get them to differentiate OWASP from the other acronyms as something
that is integrated into their SDLC.  Reaching out to these developers in
these organizations is going to be a process where we will not be
satisfied with a positive reaction and attendance to an opening meeting
within their own environment.  We want them to come out to our chapter
meetings ultimately and we want to hear that they are using one tool or
set of references as they code their products.  I have a chapter leader
that is charged with partnerships and they will serve as 'account
managers' to these organizations where he simply does an email ping to
see if we can facilitate any questions on any of the material and gauge
adoption on a periodic basis.  All of this may or may not be crafted
into a formal methodology, rule set, procedure on a wiki page or maybe
it could be but ultimately, we need to consider these and many other
options to create greater awareness within these development
communities.  We also added Cisco as a technology partner so some of our
chapter meetings will become virtualized in order that these developers
can attend lectures from the comforts of their own PC.  


I'll voice this tomorrow in our call, but I welcome comments,
particularly those that don't take any of the aforementioned out of



Tony UcedaVelez, CISM, CISA, GSEC

Chapter Lead

OWASP Atlanta


Twitter: @versprite


From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Eoin
Sent: Wednesday, February 23, 2011 8:56 AM
To: Feel free to browse the archives.
Cc: Joe Bernik; John Steven; Jeremiah Grossman
Subject: Re: [Owasp-leaders] The Gap Between OWASP and Developers


Hi John,

may I humbly respond to your observations below?

On 23 February 2011 12:31, John Steven <John.Steven at owasp.org> wrote:


Prior to the first OWASP summit, I suggested to Dinis we needed to
make a change like Jeremiah describes. He agreed and suggested he'd
help fund anyone who I could convince to come. I actively lobbied my
clients to no avail. Since the first summit, we've all heard several
well-respected members of the OWASP community--who are not
vendors--lament how difficult it is for them to contribute. The
situation faced remains what it was and is simply:

There is no formal conduit through which the participation of
commercial entities and their employees feel comfortable contributing
while protecting their organization's privacy, intellectual property,
and employment.

EK - this is where the industry committee come in in some ways. It needs
to start briding the gap between OWASP and "the world".

We have elected an industry committee chair (Joe Bernik) who is not a
vendor which is a great start and something I support and have been
preaching into an echo chamber for the past year. This should ( I hope)
start to get the ball moving and give OWASP a chance to connect with the
non vendor/consultant community. Joe's insight into such issues should
help understand the challenge better and even get some stuff done rather
than talking about it! 



	Some organizations and their employees can participate without
such a
	formal conduit, and that's great. Others will not be able to. I
	imagine we want to actively include those who are currently
	even in a first such attempt at outreach for greater
	Something Joe, Tom, and other representatives from commercial
	and I have talked about is establishing some 'ground rules' for
	working with these reluctant organizations. Ground rules would
need to
	address the issues I described in the breakout above.
	Failing to make progress on this issue is likely going to cause
	same deja vu feeling in the broader leader's list that it's
doing for
	me now. I think this is a 'non-starter' situation.
	If someone from the Industry committee is willing to take lead
on this
	effort and produce a draft, I'd be happy to push it to my
contacts in
	industry and act as intermediary so that they could anonymously
	improve it for our use.


EK - I am happy to volunteer or at least help but I'm from the "evil"
board, I don't know if this is an issue or not?

The reason I went for the board elections 14 months ago was to try and
fix the industry link issue you Jeremiah and I are talking about. I am
so glad we are getting to this point and clever guys like u and J see
this problem. I dont know about you but I am tired of talking security
with security folk, preaching to the choir when the real problem
continues to grow.


	On Fri, Feb 18, 2011 at 8:08 PM, Tom Brennan <tomb at owasp.org>
	> That is the plan of the industry committee for those that
missed that mission and goal - Joe's got the ball and running with that
with the team of global industry committee
	> The board nominations can take place as soon as April with
election 3 months after the candidates are locked in. As we did in 2009
the candidates need to have a "why me" document write up so that member
voters can elect a volunteer leader.
	> So if you are reading this and you are a owasp member and
leader/committee member you are eligible to be nominated as a candidate,
then the election will happen and the 2 year term will start in January.
	> I will be leading this effort with the assistance of Dan
Cornell and the rest of the Global Membership Committee like we did in
	> Brennan
	> 9732020122
	> Tom Brennan
	> OWASP Foundation
	> 973-202-0122
	> -----Original Message-----
	> From: Andre Gironda <andreg at gmail.com>
	> Sender: owasp-leaders-bounces at lists.owasp.org
	> Date: Fri, 18 Feb 2011 11:51:50
	> To: <owasp-leaders at lists.owasp.org>
	> Reply-To: "Feel free to browse the archives."
<owasp-leaders at lists.owasp.org>
	> Cc: Jeremiah Grossman<jeremiah at whitehatsec.com>
	> Subject: Re: [Owasp-leaders] The Gap Between OWASP and
	> On Fri, Feb 18, 2011 at 11:29 AM, Jim Manico
<jim.manico at owasp.org> wrote:
	>> I'm passing on a message from Jeremiah Grossman on
vendor/OWASP/enterprise relations. Insightful comments - especially
coming from a vendor. ;)
	>> I'm really happy to see Joe Bernik (CISO at Fifth Third Bank)
stepping up as the Industry Committee chair. I think this fits into both
Jeremiah's vision and OWASP's mission very well.
	>> Aloha,
	>> Jim
	> Thanks for this, Jim. I absolutely agree with Jeremiah on this
	> and he put it very eloquently:
	> "Imagine having CSOs from major eCommerce, financial services,
	> healthcare, etc. organizations stacking the OWASP board"
	> I think this is the BEST idea to ever come from Jeremiah, and
the only
	> thing I would add to it would be, "as long as WhiteHat
	> customers are only represented as a minority and not a
majority". ;>
	> If vendors are recommending that their most-faithful of
	> become the leadership instead of the vendors themselves -- we
	> end up in a much worse situation than we are already in with
	> to promoting the believability of our appsec expertise (as
well as
	> actually having any real experience or direction to put
forward to the
	> industry).
	> -Andre
	>> ****
	>> OWASP Leaders,
	>> Want to know what scares enterprises, and by extension
developers, away from OWASP more than anything else? Us. That is, us
	>> They look at who makes up the global board. 100% vendors, of
one particular ilk. They look at who sponsors, the Summit or in general,
nearly all vendors. They see who gives the presentations. Right,
essentially all vendors. I wouldn't be surprised if OWASP's paid-for
user membership wasn't also lopsided by vendors. This doesn't leave much
room for the enterprise representatives to assume key roles and
influence the direction of the organization as they should be afforded.
	>> In the beginning days of OWASP, and the webappsec industry
collectively, vendors building up OWASP was absolutely essential. Many
of us, myself included, originally came from the enterprise because we
saw a real (appsec) problem that needed to be solved and we had to
organize and evangelize as vendors -- so we did. We paved the way and
should be proud of that. Today though we must recognize that it is no
longer 2001, it is 2011 are many organizations as a result have heavily
invested in their application security programs. They have much
knowledge to share with their peers.
	>> Imagine having CSOs from major eCommerce, financial services,
healthcare, etc. organizations stacking the OWASP board. That would
speak volumes to their peers, who it is always said need to be more
included in OWASP. Enterprises on the OWASP board would hugely encourage
other organizations to similarly invest in their application security
programs and get actively involved in the community. In my opinion, just
adding "developers" doesn't go far enough, and wouldn't influence nearly
	>> Personally, when nominations open, these are the candidates
I'd encourage looking and voting for. Time for the enterprises to lead
and choose their own destiny.
	>> Regards,
	>> Jeremiah Grossman
	>> Chief Technology Officer
	>> WhiteHat Security, Inc.
	>> http://www.whitehatsec.com/
	>> _______________________________________________
	>> OWASP-Leaders mailing list
	>> OWASP-Leaders at lists.owasp.org
	>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
	> _______________________________________________
	> OWASP-Leaders mailing list
	> OWASP-Leaders at lists.owasp.org
	> https://lists.owasp.org/mailman/listinfo/owasp-leaders
	> _______________________________________________
	> OWASP-Leaders mailing list
	> OWASP-Leaders at lists.owasp.org
	> https://lists.owasp.org/mailman/listinfo/owasp-leaders
	OWASP-Leaders mailing list
	OWASP-Leaders at lists.owasp.org

Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

Sent from my i-Transmogrifier

Virtusa was recently ranked and featured in 2010 Deloitte Technology Fast 500, 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100 sub-list and 2010 FinTech 100 among others.


This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is intended for the addressee only. Any unauthorized disclosure, use, dissemination, copying, or distribution of this message or any of its attachments or the information contained in this e-mail, or the taking of any action based on it, is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail and delete this message.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110223/7e75678c/attachment-0001.html 

More information about the OWASP-Leaders mailing list