[Owasp-leaders] Developers vs. Security Pros

Tom Brennan tomb at owasp.org
Tue Jun 18 20:44:02 UTC 2013


I can suggest (2) things

#1 - Visit www.meetup.com and FIND your local developer community --- go
buy beers and submit a talk on Security.  Work together and the chapters
will cross pollinate.

#2 - More about beer... contact me off list ;)



On Tue, Jun 18, 2013 at 3:08 PM, Patrick Laverty
<patrick.laverty at owasp.org>wrote:

> I was at a local OWASP chapter meeting recently and one of the first
> questions she asked by the presenter was:
>
> "How many people here are the one who pesters developers when there's a
> security issue?"
>
> Every hand in the room went up. Then she asked:
>
> "How many of you are the developer who gets pestered by the security team
> when there's a security issue?"
>
> There were about 40 people in the room and I was literally the only one
> who raised my hand.
>
> I'm not naming the chapter I attended, because this isn't specific to that
> chapter. I'm seeing the exact same things with my own chapter. And I've
> spoken with others who also see similar things.
>
> I just checked the OWASP Core Purpose and it doesn't say anything specific
> about who OWASP's intended audience is.  However, I've long thought that
> OWASP is at least, if not primarily for developers to learn secure coding.
> From my observations it seems that the target of meetings has become
> security professionals. I'm not sure if this is because of the choice of
> meeting topics or just that developers aren't engaged or don't care. I
> understand getting them engaged is a goal of the organization, but have we
> as leaders decided that it's easier to attract security pros by having
> talks about the latest l33t h4x0rs instead of finding new and interesting
> ways to spread the word of secure coding? I think part of the problem with
> the latter is sometimes, the devs see it as code specific. If a
> presentation uses PHP as the demo language and they're a Java developer,
> they might see it as not relevant and not attend.
>
> So my questions are these. Who is our intended audience? Is that ok that
> meetings tend to attract more of the security pros than developers? Is what
> I'm describing an "around me" problem or do you see that in your local
> meetings as well? If you do a good job consistently attracting developers,
> what are your meeting topics that do that? If we are mostly attracting
> security pros, do we want to change that and if we do, how? Is anyone else
> seeing things similarly?
>
> Thoughts?
>
> Thank you!
>
> Patrick Laverty
> OWASP Rhode Island (USA)
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130618/3d050c98/attachment.html>


More information about the OWASP-Leaders mailing list