[Owasp-leaders] The Gap Between OWASP and Developers

Tony UV tonyuv at owasp.org
Wed Feb 23 22:42:33 EST 2011

James, I completely disagree….at least in terms of smaller shops being the larger problem to security adoption. Given that my firm is not in the Gartner magic quadrant or boast any SC awards (as of yet), we work a large part with smaller firms who opt for innovation versus what I call ‘security bling’.  We work with  100-200 people companies with 10-15% of those being a development teams.  Small companies are more likely roll up their sleeves and adopt methodologies, tools, code snippets that they can leverage.  I’m not saying that they run with any open source anything and run with it, however, it’s a great platform for them to build upon.  I’ve also had my fill with several start up firms and those who have lived that life before know that you quickly have to adopt and react to demands from the business, clients, or regulatory sense. A 10 to 50 million dollar shop that acts as a data processor, handling sensitive data is in the same boat as Experian, Equifax, TSW, Acxiom, Krolls, etc,  from a regulatory standpoint so from my experience with multiple firms from both the consultative  sense and as a former insider, you quickly scramble to identify resources or technology or standards that you can leverage in order that you can ‘do things right’ whether they be for the wrong reasons (compliance) or the right reasons (protecting customer info is good karma in the business world and simply the right thing to do and can actually improve efficiency if done correctly).  Larger organizations on the other hand are stifled in bureaucratic procedures that prevent them from saying ‘hey, here’s an organization that works with industry leaders, lets leverage what they can contribute’.  A large part of this are reasons that have been talked about in the GIC channels such as legal issues as well as support which are legitimate, but not deal breakers IMHO.  Going back to smaller dev shops, I know for a fact that dev managers would die for some of Jerry Hoff’s appsec training given that (a) they have little to no training budget (b) don’t want to procure someone to train their developers when they really can’t qualify good vs bad training and (c) can’t originate that content or training medium on their own due to time, expertise and resources constraints.  


Overall, the approach that I recommend that we take is try to organize our pitch(es) and approach so that our message is relatable an from industry to industry perspective, but flexible enough to not put everyone into buckets.  Yes large organizations do some overseas development, but not everyone (in the pure sense of the word) uses TCS, Infosys, Wipro, etc so where those are not relevant, let’s bring OWASP to their house and set up a healthy discussion.  Where they do perform offshore development, let’s work with our regional leaders in those areas in order to socialize OWASP related material/ events more there as well as work with leaders stateside/ EU-side/ EMEA-side/ APAC-side in order to introduce OWASP concepts down to their dev shops. Their respective MSA (master service agreements) with these shops will ultimately come into play, but there’s always opportunity to help them alter such language at opportune times (re-signings) in order that certain standards and practices (OWASP related) could be introduced from the outsourcer to the outsourcee.  Also for larger shops, you don’t want to address the entirety of a dev community, but create win opportunities where you work with a dedicated team of developers for a particular business application function if possible.  So for that large Fortune 25 firm with 500 coders all over the planet, the pitch is not to the 500 but rather creating an OWASP win story with a team of developers that may be working on dev projects for a business unit.  This drastically lowers the develop count to more manageable numbers and fosters a greater opportunity for an OWASP success story.


To the other point made on reaching out to dev groups, etc – all for it as well as I think it’s a separate vehicle that requires a slightly different approach as the driver is more individualistic than company mandated.


Tony UcedaVelez, CISM, CISA, GSEC

Atlanta Chapter President

Membership Committee Global Board Member

OWASP Atlanta


Twitter: @versprite


From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of James McGovern
Sent: Wednesday, February 23, 2011 4:44 PM
To: Feel free to browse the archives.
Subject: Re: [Owasp-leaders] The Gap Between OWASP and Developers


I would like to refine Tony’s comment slightly. I am of the belief that reaching developers in large organizations is relatively easy. The challenge in getting them to take interest is the simple fact that developers in the United States in many large shops aren’t really doing development any more. Many developers are simply cogs in the process known as outsourcing. They move code around, checking things in and out, making sure things compile, etc. While this doesn’t hold true for all shops, I do believe as a trend this will increase.


The bigger challenge is not in reaching developers in large shops, but in small ones. It is very easy for us to figure out the large employers in our area, find an employee that works there and encourage them to forward an invite. The challenge I see is in identifying all the IT shops even within my own chapter coverage that has say between 2 developers and 100. These guys are also more important for another reason, in that they are probably doing less customization of commercial software and probably writing a lot more software from scratch. 


James McGovern


From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Tony UV
Sent: Wednesday, February 23, 2011 10:44 AM
To: 'Feel free to browse the archives.'
Cc: 'Joe Bernik'; 'John Steven'; 'Cassio Goldschmidt'; 'Anurag Agarwal'; 'Jeremiah Grossman'
Subject: Re: [Owasp-leaders] The Gap Between OWASP and Developers


I’ll echo the appointment of Joe as a good first step.  I’ll also echo my thoughts on statements I made during the GIC meeting and say that we need to bring OWASP to the industry. What this means is that OWASP needs to make house calls – not as the standard model but as an auxiliary model to what we do. In reality, this places a lot of innovative responsibility to Chapter Leads to create events that take place in the comforts of a Fortune 500 organizations <replace Fortune 500 w/ any term that is relevant to you within your country>.  The ‘gap’ problem is attributed to many reasons, one key one being simply that OWASP still has a marketing problem in reaching dev shops in large organizations.  Developers simply are not aware fully of who we are.  Where they have heard of OWASP is the inside security person that reference’s OWASP in conversation to them and it remains there, over time the term OWASP will get lost in the developer’s limited security vernacular along with other acronyms such as PCI, HIPAA, OSSTM, ISO, etc (btw – I’m not equating OWASP to any of these other acronyms, so put the pen down).  Many will agree that we continue to have an awareness issue and I think that we need to start there.  We also have a “interested, but not that interested that I want to attend a meeting/ event/ conference” mentality from developers at these organizations, hence the reason to bring OWASP events to them.  I recognize that this brings forth the issue of NDAs but that can be avoided by us speaking to them on OWASP supplied material.  The material and content provided will vary based upon the aptitude and maturity level of security within these respective development shops.  Some will respond well to hands on ‘workshops’ of using proper whitelisting techniques, strong type declarations, etc while others may be blown away simply going through WebGoat (the intent here with this last statement is to define a broad spectrum of content that fits the maturity of secure coding practices by the developer, so please don’t isolate comments to the former or latter examples).  


We have tried bringing OWASP to corporations in Atlanta  (non-security vendors) and it has been a growing success.  The track record is short (a few months) and the initial win of positive feedback is far from final trophy. Ultimately, each battle of increasing awareness is aimed at increasing adoption (downloads and use of OWASP tools, references, etc) and participation from developers in these areas.  Security will always (and should) be second to their functional psyche but the hope is to get them to differentiate OWASP from the other acronyms as something that is integrated into their SDLC.  Reaching out to these developers in these organizations is going to be a process where we will not be satisfied with a positive reaction and attendance to an opening meeting within their own environment.  We want them to come out to our chapter meetings ultimately and we want to hear that they are using one tool or set of references as they code their products.  I have a chapter leader that is charged with partnerships and they will serve as ‘account managers’ to these organizations where he simply does an email ping to see if we can facilitate any questions on any of the material and gauge adoption on a periodic basis.  All of this may or may not be crafted into a formal methodology, rule set, procedure on a wiki page or maybe it could be but ultimately, we need to consider these and many other options to create greater awareness within these development communities.  We also added Cisco as a technology partner so some of our chapter meetings will become virtualized in order that these developers can attend lectures from the comforts of their own PC.  


I’ll voice this tomorrow in our call, but I welcome comments, particularly those that don’t take any of the aforementioned out of context.  



Tony UcedaVelez, CISM, CISA, GSEC

Chapter Lead

OWASP Atlanta


Twitter: @versprite


From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Eoin
Sent: Wednesday, February 23, 2011 8:56 AM
To: Feel free to browse the archives.
Cc: Joe Bernik; John Steven; Jeremiah Grossman
Subject: Re: [Owasp-leaders] The Gap Between OWASP and Developers


Hi John,

may I humbly respond to your observations below?

On 23 February 2011 12:31, John Steven <John.Steven at owasp.org> wrote:


Prior to the first OWASP summit, I suggested to Dinis we needed to
make a change like Jeremiah describes. He agreed and suggested he'd
help fund anyone who I could convince to come. I actively lobbied my
clients to no avail. Since the first summit, we've all heard several
well-respected members of the OWASP community--who are not
vendors--lament how difficult it is for them to contribute. The
situation faced remains what it was and is simply:

There is no formal conduit through which the participation of
commercial entities and their employees feel comfortable contributing
while protecting their organization's privacy, intellectual property,
and employment.

EK - this is where the industry committee come in in some ways. It needs to start briding the gap between OWASP and "the world".

We have elected an industry committee chair (Joe Bernik) who is not a vendor which is a great start and something I support and have been preaching into an echo chamber for the past year. This should ( I hope) start to get the ball moving and give OWASP a chance to connect with the non vendor/consultant community. Joe's insight into such issues should help understand the challenge better and even get some stuff done rather than talking about it! 



Some organizations and their employees can participate without such a
formal conduit, and that's great. Others will not be able to. I
imagine we want to actively include those who are currently precluded,
even in a first such attempt at outreach for greater involvement.
Something Joe, Tom, and other representatives from commercial entities
and I have talked about is establishing some 'ground rules' for
working with these reluctant organizations. Ground rules would need to
address the issues I described in the breakout above.

Failing to make progress on this issue is likely going to cause the
same deja vu feeling in the broader leader's list that it's doing for
me now. I think this is a 'non-starter' situation.

If someone from the Industry committee is willing to take lead on this
effort and produce a draft, I'd be happy to push it to my contacts in
industry and act as intermediary so that they could anonymously
improve it for our use.


EK - I am happy to volunteer or at least help but I'm from the "evil" board, I don't know if this is an issue or not?

The reason I went for the board elections 14 months ago was to try and fix the industry link issue you Jeremiah and I are talking about. I am so glad we are getting to this point and clever guys like u and J see this problem. I dont know about you but I am tired of talking security with security folk, preaching to the choir when the real problem continues to grow.


On Fri, Feb 18, 2011 at 8:08 PM, Tom Brennan <tomb at owasp.org> wrote:
> That is the plan of the industry committee for those that missed that mission and goal - Joe's got the ball and running with that with the team of global industry committee
> The board nominations can take place as soon as April with election 3 months after the candidates are locked in. As we did in 2009 the candidates need to have a "why me" document write up so that member voters can elect a volunteer leader.
> So if you are reading this and you are a owasp member and leader/committee member you are eligible to be nominated as a candidate, then the election will happen and the 2 year term will start in January.
> I will be leading this effort with the assistance of Dan Cornell and the rest of the Global Membership Committee like we did in 2009
> Brennan
> 9732020122
> Tom Brennan
> OWASP Foundation
> 973-202-0122
> -----Original Message-----
> From: Andre Gironda <andreg at gmail.com>
> Sender: owasp-leaders-bounces at lists.owasp.org
> Date: Fri, 18 Feb 2011 11:51:50
> To: <owasp-leaders at lists.owasp.org>
> Reply-To: "Feel free to browse the archives." <owasp-leaders at lists.owasp.org>
> Cc: Jeremiah Grossman<jeremiah at whitehatsec.com>
> Subject: Re: [Owasp-leaders] The Gap Between OWASP and Developers
> On Fri, Feb 18, 2011 at 11:29 AM, Jim Manico <jim.manico at owasp.org> wrote:
>> I'm passing on a message from Jeremiah Grossman on vendor/OWASP/enterprise relations. Insightful comments - especially coming from a vendor. ;)
>> I'm really happy to see Joe Bernik (CISO at Fifth Third Bank) stepping up as the Industry Committee chair. I think this fits into both Jeremiah's vision and OWASP's mission very well.
>> Aloha,
>> Jim
> Thanks for this, Jim. I absolutely agree with Jeremiah on this issue
> and he put it very eloquently:
> "Imagine having CSOs from major eCommerce, financial services,
> healthcare, etc. organizations stacking the OWASP board"
> I think this is the BEST idea to ever come from Jeremiah, and the only
> thing I would add to it would be, "as long as WhiteHat Security
> customers are only represented as a minority and not a majority". ;>
> If vendors are recommending that their most-faithful of customers
> become the leadership instead of the vendors themselves -- we could
> end up in a much worse situation than we are already in with regards
> to promoting the believability of our appsec expertise (as well as
> actually having any real experience or direction to put forward to the
> industry).
> -Andre
>> ****
>> OWASP Leaders,
>> Want to know what scares enterprises, and by extension developers, away from OWASP more than anything else? Us. That is, us vendors.
>> They look at who makes up the global board. 100% vendors, of one particular ilk. They look at who sponsors, the Summit or in general, nearly all vendors. They see who gives the presentations. Right, essentially all vendors. I wouldn't be surprised if OWASP's paid-for user membership wasn't also lopsided by vendors. This doesn't leave much room for the enterprise representatives to assume key roles and influence the direction of the organization as they should be afforded.
>> In the beginning days of OWASP, and the webappsec industry collectively, vendors building up OWASP was absolutely essential. Many of us, myself included, originally came from the enterprise because we saw a real (appsec) problem that needed to be solved and we had to organize and evangelize as vendors -- so we did. We paved the way and should be proud of that. Today though we must recognize that it is no longer 2001, it is 2011 are many organizations as a result have heavily invested in their application security programs. They have much knowledge to share with their peers.
>> Imagine having CSOs from major eCommerce, financial services, healthcare, etc. organizations stacking the OWASP board. That would speak volumes to their peers, who it is always said need to be more included in OWASP. Enterprises on the OWASP board would hugely encourage other organizations to similarly invest in their application security programs and get actively involved in the community. In my opinion, just adding "developers" doesn't go far enough, and wouldn't influence nearly enough.
>> Personally, when nominations open, these are the candidates I'd encourage looking and voting for. Time for the enterprises to lead and choose their own destiny.
>> Regards,
>> Jeremiah Grossman
>> Chief Technology Officer
>> WhiteHat Security, Inc.
>> http://www.whitehatsec.com/
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

Sent from my i-Transmogrifier

Virtusa was recently ranked and featured in 2010 Deloitte Technology Fast 500, 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100 sub-list and 2010 FinTech 100 among others.
This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is intended for the addressee only. Any unauthorized disclosure, use, dissemination, copying, or distribution of this message or any of its attachments or the information contained in this e-mail, or the taking of any action based on it, is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail and delete this message.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110223/d7cd10c1/attachment-0001.html 

More information about the OWASP-Leaders mailing list