[Owasp-leaders] The Gap Between OWASP and Developers

Abraham Kang abraham.kang at owasp.org
Wed Feb 23 21:23:41 EST 2011

What about working with developer web sites (Javaworld, Oreilly, DevX,
etc.) to co-write articles with authors writing developer tutorials.
This way you get everything at the beginning.

Or helping existing authors with revising their development books so
all of their examples are secure and explain why the
examples/tutorials they are showing are written the way they are.
Again the O'Reilly Nutshell books, APress, Wrox, Head First, etc.would
be a good place to start.  This would also help security professionals
become more understanding of developers and application development in


On 2/23/11, James McGovern <JMcGovern at virtusa.com> wrote:
> I would like to refine Tony's comment slightly. I am of the belief that
> reaching developers in large organizations is relatively easy. The
> challenge in getting them to take interest is the simple fact that
> developers in the United States in many large shops aren't really doing
> development any more. Many developers are simply cogs in the process
> known as outsourcing. They move code around, checking things in and out,
> making sure things compile, etc. While this doesn't hold true for all
> shops, I do believe as a trend this will increase.
> The bigger challenge is not in reaching developers in large shops, but
> in small ones. It is very easy for us to figure out the large employers
> in our area, find an employee that works there and encourage them to
> forward an invite. The challenge I see is in identifying all the IT
> shops even within my own chapter coverage that has say between 2
> developers and 100. These guys are also more important for another
> reason, in that they are probably doing less customization of commercial
> software and probably writing a lot more software from scratch.
> James McGovern
> http://twitter.com/McGovernTheory
> From: owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Tony UV
> Sent: Wednesday, February 23, 2011 10:44 AM
> To: 'Feel free to browse the archives.'
> Cc: 'Joe Bernik'; 'John Steven'; 'Cassio Goldschmidt'; 'Anurag Agarwal';
> 'Jeremiah Grossman'
> Subject: Re: [Owasp-leaders] The Gap Between OWASP and Developers
> I'll echo the appointment of Joe as a good first step.  I'll also echo
> my thoughts on statements I made during the GIC meeting and say that we
> need to bring OWASP to the industry. What this means is that OWASP needs
> to make house calls - not as the standard model but as an auxiliary
> model to what we do. In reality, this places a lot of innovative
> responsibility to Chapter Leads to create events that take place in the
> comforts of a Fortune 500 organizations <replace Fortune 500 w/ any term
> that is relevant to you within your country>.  The 'gap' problem is
> attributed to many reasons, one key one being simply that OWASP still
> has a marketing problem in reaching dev shops in large organizations.
> Developers simply are not aware fully of who we are.  Where they have
> heard of OWASP is the inside security person that reference's OWASP in
> conversation to them and it remains there, over time the term OWASP will
> get lost in the developer's limited security vernacular along with other
> acronyms such as PCI, HIPAA, OSSTM, ISO, etc (btw - I'm not equating
> OWASP to any of these other acronyms, so put the pen down).  Many will
> agree that we continue to have an awareness issue and I think that we
> need to start there.  We also have a "interested, but not that
> interested that I want to attend a meeting/ event/ conference" mentality
> from developers at these organizations, hence the reason to bring OWASP
> events to them.  I recognize that this brings forth the issue of NDAs
> but that can be avoided by us speaking to them on OWASP supplied
> material.  The material and content provided will vary based upon the
> aptitude and maturity level of security within these respective
> development shops.  Some will respond well to hands on 'workshops' of
> using proper whitelisting techniques, strong type declarations, etc
> while others may be blown away simply going through WebGoat (the intent
> here with this last statement is to define a broad spectrum of content
> that fits the maturity of secure coding practices by the developer, so
> please don't isolate comments to the former or latter examples).
> We have tried bringing OWASP to corporations in Atlanta  (non-security
> vendors) and it has been a growing success.  The track record is short
> (a few months) and the initial win of positive feedback is far from
> final trophy. Ultimately, each battle of increasing awareness is aimed
> at increasing adoption (downloads and use of OWASP tools, references,
> etc) and participation from developers in these areas.  Security will
> always (and should) be second to their functional psyche but the hope is
> to get them to differentiate OWASP from the other acronyms as something
> that is integrated into their SDLC.  Reaching out to these developers in
> these organizations is going to be a process where we will not be
> satisfied with a positive reaction and attendance to an opening meeting
> within their own environment.  We want them to come out to our chapter
> meetings ultimately and we want to hear that they are using one tool or
> set of references as they code their products.  I have a chapter leader
> that is charged with partnerships and they will serve as 'account
> managers' to these organizations where he simply does an email ping to
> see if we can facilitate any questions on any of the material and gauge
> adoption on a periodic basis.  All of this may or may not be crafted
> into a formal methodology, rule set, procedure on a wiki page or maybe
> it could be but ultimately, we need to consider these and many other
> options to create greater awareness within these development
> communities.  We also added Cisco as a technology partner so some of our
> chapter meetings will become virtualized in order that these developers
> can attend lectures from the comforts of their own PC.
> I'll voice this tomorrow in our call, but I welcome comments,
> particularly those that don't take any of the aforementioned out of
> context.
> Tony UcedaVelez, CISM, CISA, GSEC
> Chapter Lead
> OWASP Atlanta
> http://www.owasp.org/index.php/Atlanta_Georgia
> Twitter: @versprite
> From: owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Eoin
> Sent: Wednesday, February 23, 2011 8:56 AM
> To: Feel free to browse the archives.
> Cc: Joe Bernik; John Steven; Jeremiah Grossman
> Subject: Re: [Owasp-leaders] The Gap Between OWASP and Developers
> Hi John,
> may I humbly respond to your observations below?
> On 23 February 2011 12:31, John Steven <John.Steven at owasp.org> wrote:
> All,
> Prior to the first OWASP summit, I suggested to Dinis we needed to
> make a change like Jeremiah describes. He agreed and suggested he'd
> help fund anyone who I could convince to come. I actively lobbied my
> clients to no avail. Since the first summit, we've all heard several
> well-respected members of the OWASP community--who are not
> vendors--lament how difficult it is for them to contribute. The
> situation faced remains what it was and is simply:
> ----
> There is no formal conduit through which the participation of
> commercial entities and their employees feel comfortable contributing
> while protecting their organization's privacy, intellectual property,
> and employment.
> ----
> EK - this is where the industry committee come in in some ways. It needs
> to start briding the gap between OWASP and "the world".
> We have elected an industry committee chair (Joe Bernik) who is not a
> vendor which is a great start and something I support and have been
> preaching into an echo chamber for the past year. This should ( I hope)
> start to get the ball moving and give OWASP a chance to connect with the
> non vendor/consultant community. Joe's insight into such issues should
> help understand the challenge better and even get some stuff done rather
> than talking about it!
> 	Some organizations and their employees can participate without
> such a
> 	formal conduit, and that's great. Others will not be able to. I
> 	imagine we want to actively include those who are currently
> precluded,
> 	even in a first such attempt at outreach for greater
> involvement.
> 	Something Joe, Tom, and other representatives from commercial
> entities
> 	and I have talked about is establishing some 'ground rules' for
> 	working with these reluctant organizations. Ground rules would
> need to
> 	address the issues I described in the breakout above.
> 	Failing to make progress on this issue is likely going to cause
> the
> 	same deja vu feeling in the broader leader's list that it's
> doing for
> 	me now. I think this is a 'non-starter' situation.
> 	If someone from the Industry committee is willing to take lead
> on this
> 	effort and produce a draft, I'd be happy to push it to my
> contacts in
> 	industry and act as intermediary so that they could anonymously
> 	improve it for our use.
> EK - I am happy to volunteer or at least help but I'm from the "evil"
> board, I don't know if this is an issue or not?
> The reason I went for the board elections 14 months ago was to try and
> fix the industry link issue you Jeremiah and I are talking about. I am
> so glad we are getting to this point and clever guys like u and J see
> this problem. I dont know about you but I am tired of talking security
> with security folk, preaching to the choir when the real problem
> continues to grow.
> 	-jOHN
> 	On Fri, Feb 18, 2011 at 8:08 PM, Tom Brennan <tomb at owasp.org>
> wrote:
> 	> That is the plan of the industry committee for those that
> missed that mission and goal - Joe's got the ball and running with that
> with the team of global industry committee
> 	>
> 	> The board nominations can take place as soon as April with
> election 3 months after the candidates are locked in. As we did in 2009
> the candidates need to have a "why me" document write up so that member
> voters can elect a volunteer leader.
> 	>
> 	> So if you are reading this and you are a owasp member and
> leader/committee member you are eligible to be nominated as a candidate,
> then the election will happen and the 2 year term will start in January.
> 	>
> 	> I will be leading this effort with the assistance of Dan
> Cornell and the rest of the Global Membership Committee like we did in
> 2009
> 	>
> 	> Brennan
> 	> 9732020122
> 	>
> 	> Tom Brennan
> 	> OWASP Foundation
> 	> 973-202-0122
> 	>
> 	> -----Original Message-----
> 	> From: Andre Gironda <andreg at gmail.com>
> 	> Sender: owasp-leaders-bounces at lists.owasp.org
> 	> Date: Fri, 18 Feb 2011 11:51:50
> 	> To: <owasp-leaders at lists.owasp.org>
> 	> Reply-To: "Feel free to browse the archives."
> <owasp-leaders at lists.owasp.org>
> 	> Cc: Jeremiah Grossman<jeremiah at whitehatsec.com>
> 	> Subject: Re: [Owasp-leaders] The Gap Between OWASP and
> Developers
> 	>
> 	> On Fri, Feb 18, 2011 at 11:29 AM, Jim Manico
> <jim.manico at owasp.org> wrote:
> 	>> I'm passing on a message from Jeremiah Grossman on
> vendor/OWASP/enterprise relations. Insightful comments - especially
> coming from a vendor. ;)
> 	>> I'm really happy to see Joe Bernik (CISO at Fifth Third Bank)
> stepping up as the Industry Committee chair. I think this fits into both
> Jeremiah's vision and OWASP's mission very well.
> 	>>
> 	>> Aloha,
> 	>> Jim
> 	>
> 	> Thanks for this, Jim. I absolutely agree with Jeremiah on this
> issue
> 	> and he put it very eloquently:
> 	>
> 	> "Imagine having CSOs from major eCommerce, financial services,
> 	> healthcare, etc. organizations stacking the OWASP board"
> 	>
> 	> I think this is the BEST idea to ever come from Jeremiah, and
> the only
> 	> thing I would add to it would be, "as long as WhiteHat
> Security
> 	> customers are only represented as a minority and not a
> majority". ;>
> 	>
> 	> If vendors are recommending that their most-faithful of
> customers
> 	> become the leadership instead of the vendors themselves -- we
> could
> 	> end up in a much worse situation than we are already in with
> regards
> 	> to promoting the believability of our appsec expertise (as
> well as
> 	> actually having any real experience or direction to put
> forward to the
> 	> industry).
> 	>
> 	> -Andre
> 	>
> 	>> ****
> 	>>
> 	>> OWASP Leaders,
> 	>>
> 	>> Want to know what scares enterprises, and by extension
> developers, away from OWASP more than anything else? Us. That is, us
> vendors.
> 	>>
> 	>> They look at who makes up the global board. 100% vendors, of
> one particular ilk. They look at who sponsors, the Summit or in general,
> nearly all vendors. They see who gives the presentations. Right,
> essentially all vendors. I wouldn't be surprised if OWASP's paid-for
> user membership wasn't also lopsided by vendors. This doesn't leave much
> room for the enterprise representatives to assume key roles and
> influence the direction of the organization as they should be afforded.
> 	>>
> 	>> In the beginning days of OWASP, and the webappsec industry
> collectively, vendors building up OWASP was absolutely essential. Many
> of us, myself included, originally came from the enterprise because we
> saw a real (appsec) problem that needed to be solved and we had to
> organize and evangelize as vendors -- so we did. We paved the way and
> should be proud of that. Today though we must recognize that it is no
> longer 2001, it is 2011 are many organizations as a result have heavily
> invested in their application security programs. They have much
> knowledge to share with their peers.
> 	>>
> 	>> Imagine having CSOs from major eCommerce, financial services,
> healthcare, etc. organizations stacking the OWASP board. That would
> speak volumes to their peers, who it is always said need to be more
> included in OWASP. Enterprises on the OWASP board would hugely encourage
> other organizations to similarly invest in their application security
> programs and get actively involved in the community. In my opinion, just
> adding "developers" doesn't go far enough, and wouldn't influence nearly
> enough.
> 	>>
> 	>> Personally, when nominations open, these are the candidates
> I'd encourage looking and voting for. Time for the enterprises to lead
> and choose their own destiny.
> 	>>
> 	>> Regards,
> 	>>
> 	>> Jeremiah Grossman
> 	>> Chief Technology Officer
> 	>> WhiteHat Security, Inc.
> 	>> http://www.whitehatsec.com/
> 	>>
> 	>> _______________________________________________
> 	>> OWASP-Leaders mailing list
> 	>> OWASP-Leaders at lists.owasp.org
> 	>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 	>>
> 	> _______________________________________________
> 	> OWASP-Leaders mailing list
> 	> OWASP-Leaders at lists.owasp.org
> 	> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 	> _______________________________________________
> 	> OWASP-Leaders mailing list
> 	> OWASP-Leaders at lists.owasp.org
> 	> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 	>
> 	_______________________________________________
> 	OWASP-Leaders mailing list
> 	OWASP-Leaders at lists.owasp.org
> 	https://lists.owasp.org/mailman/listinfo/owasp-leaders
> --
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
> Sent from my i-Transmogrifier
> http://asg.ie/
> https://twitter.com/EoinKeary
> Virtusa was recently ranked and featured in 2010 Deloitte Technology Fast
> 500, 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100 sub-list
> and 2010 FinTech 100 among others.
> ---------------------------------------------------------------------------------------------
> This message, including any attachments, contains confidential information
> intended for a specific individual and purpose, and is intended for the
> addressee only. Any unauthorized disclosure, use, dissemination, copying, or
> distribution of this message or any of its attachments or the information
> contained in this e-mail, or the taking of any action based on it, is
> strictly prohibited. If you are not the intended recipient, please notify
> the sender immediately by return e-mail and delete this message.
> ---------------------------------------------------------------------------------------------

More information about the OWASP-Leaders mailing list