[Owasp-leaders] Developers vs. Security Pros

Patrick Laverty patrick.laverty at owasp.org
Tue Jun 18 19:08:21 UTC 2013


I was at a local OWASP chapter meeting recently and one of the first
questions she asked by the presenter was:

"How many people here are the one who pesters developers when there's a
security issue?"

Every hand in the room went up. Then she asked:

"How many of you are the developer who gets pestered by the security team
when there's a security issue?"

There were about 40 people in the room and I was literally the only one who
raised my hand.

I'm not naming the chapter I attended, because this isn't specific to that
chapter. I'm seeing the exact same things with my own chapter. And I've
spoken with others who also see similar things.

I just checked the OWASP Core Purpose and it doesn't say anything specific
about who OWASP's intended audience is.  However, I've long thought that
OWASP is at least, if not primarily for developers to learn secure coding.
>From my observations it seems that the target of meetings has become
security professionals. I'm not sure if this is because of the choice of
meeting topics or just that developers aren't engaged or don't care. I
understand getting them engaged is a goal of the organization, but have we
as leaders decided that it's easier to attract security pros by having
talks about the latest l33t h4x0rs instead of finding new and interesting
ways to spread the word of secure coding? I think part of the problem with
the latter is sometimes, the devs see it as code specific. If a
presentation uses PHP as the demo language and they're a Java developer,
they might see it as not relevant and not attend.

So my questions are these. Who is our intended audience? Is that ok that
meetings tend to attract more of the security pros than developers? Is what
I'm describing an "around me" problem or do you see that in your local
meetings as well? If you do a good job consistently attracting developers,
what are your meeting topics that do that? If we are mostly attracting
security pros, do we want to change that and if we do, how? Is anyone else
seeing things similarly?

Thoughts?

Thank you!

Patrick Laverty
OWASP Rhode Island (USA)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130618/0808332e/attachment.html>


More information about the OWASP-Leaders mailing list