[Owasp-leaders] Fwd: 2012 Rugged Summit

John Wilander john.wilander at owasp.org
Tue Sep 4 23:13:27 UTC 2012

Hi all!

Just a few comments on what you wrote, Teresa:

2012/9/4 Teresa Stevens <teresa-ann-stevens at comcast.net>

> But, in my opinion, most developers are not even aware of the most
> commonly avoided security vulnerabilities. There is very little to "no"
> awareness and training given to developers.

This has been said over and over but I experience that it's becoming less
true. I meet quite a few developers who have basic and even advanced
security knowledge. SQLi and XSS in their simpler forms is fairly common
knowledge these days. Doing a vanilla OWASP Top 10 presentation will not
get you a speaker slot at an established developer conference anymore. ;)

> Writing secure code does not take that much longer.

That's true for some cases but not true at all for others. Take for
instance a remember-me feature of a mobile app. One way is to store the
user's plain text password in the app. A more secure way is to implement
Digest Access Authentication à la RFC2617 (
http://tools.ietf.org/html/rfc2617) and integrate it with the existing
password scheme. The difference is about a month for a whole development
team. Just testing is a pretty tough one. I know, since I did it.

There needs to be more of an emphasis on "security awareness and training"
> given to developers.

As long as it's not done "from security *down* to developers" I'm with you.

   Regards, John (main author of the Rugged Developer chapter)

John Wilander, https://twitter.com/johnwilander
Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee
My music http://www.johnwilander.com & my résumé http://johnwilander.se
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120905/872b98d5/attachment.html>

More information about the OWASP-Leaders mailing list