[Owasp-leaders] Developers vs. Security Pros

Sherif Koussa sherif.koussa at owasp.org
Tue Jun 18 19:18:20 UTC 2013


That seems to be a global problem. Here in Ottawa, we took it to heart to
try to attract software developers to our meetings, here is what we found:

- A lot of developers don't really care for software security, they'd
rather learn something new that makes their day easier or make their
promotion sooner (who wouldn't)
- We do get some developers but the topic has to be REALLY within their
day-to-day tasks. The best when it is something related to a pain point
they currently have. For example, we had a speaker talk about XML security,
so we had a good devs turnaround for that.
- Topics like Security Testing, Policy, Hacking, Cracking...etc really
don't interest devs at all, you are basically telling them that their baby
is ugly and no one would like to hear that.

On the other side, the security industry tends to pay  A LOT of attention
to the breakers rather than the builders or the defenders, just look at how
many tools to break software vs how many tools help to build software or
defends source code. Also, inside OWASP conferences, check how many talks
about breaking, hacking, cracking, etc vs secure code, secure architecture,


On Tue, Jun 18, 2013 at 3:08 PM, Patrick Laverty
<patrick.laverty at owasp.org>wrote:

> I was at a local OWASP chapter meeting recently and one of the first
> questions she asked by the presenter was:
> "How many people here are the one who pesters developers when there's a
> security issue?"
> Every hand in the room went up. Then she asked:
> "How many of you are the developer who gets pestered by the security team
> when there's a security issue?"
> There were about 40 people in the room and I was literally the only one
> who raised my hand.
> I'm not naming the chapter I attended, because this isn't specific to that
> chapter. I'm seeing the exact same things with my own chapter. And I've
> spoken with others who also see similar things.
> I just checked the OWASP Core Purpose and it doesn't say anything specific
> about who OWASP's intended audience is.  However, I've long thought that
> OWASP is at least, if not primarily for developers to learn secure coding.
> From my observations it seems that the target of meetings has become
> security professionals. I'm not sure if this is because of the choice of
> meeting topics or just that developers aren't engaged or don't care. I
> understand getting them engaged is a goal of the organization, but have we
> as leaders decided that it's easier to attract security pros by having
> talks about the latest l33t h4x0rs instead of finding new and interesting
> ways to spread the word of secure coding? I think part of the problem with
> the latter is sometimes, the devs see it as code specific. If a
> presentation uses PHP as the demo language and they're a Java developer,
> they might see it as not relevant and not attend.
> So my questions are these. Who is our intended audience? Is that ok that
> meetings tend to attract more of the security pros than developers? Is what
> I'm describing an "around me" problem or do you see that in your local
> meetings as well? If you do a good job consistently attracting developers,
> what are your meeting topics that do that? If we are mostly attracting
> security pros, do we want to change that and if we do, how? Is anyone else
> seeing things similarly?
> Thoughts?
> Thank you!
> Patrick Laverty
> OWASP Rhode Island (USA)
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130618/36d496a9/attachment-0001.html>

More information about the OWASP-Leaders mailing list