[Owasp-leaders] Developers vs. Security Pros

Edgar Salazar edgar.salazar at owasp.org
Tue Jun 18 20:56:58 UTC 2013


Tom, Very good recommendation, beer can easily open the way. jajaja

You can propose an interesting topic for developers like using agile
methodology to fix insecure software.

;)


2013/6/18 Tom Brennan <tomb at owasp.org>

> I can suggest (2) things
>
> #1 - Visit www.meetup.com and FIND your local developer community --- go
> buy beers and submit a talk on Security.  Work together and the chapters
> will cross pollinate.
>
> #2 - More about beer... contact me off list ;)
>
>
>
> On Tue, Jun 18, 2013 at 3:08 PM, Patrick Laverty <
> patrick.laverty at owasp.org> wrote:
>
>> I was at a local OWASP chapter meeting recently and one of the first
>> questions she asked by the presenter was:
>>
>> "How many people here are the one who pesters developers when there's a
>> security issue?"
>>
>> Every hand in the room went up. Then she asked:
>>
>> "How many of you are the developer who gets pestered by the security team
>> when there's a security issue?"
>>
>> There were about 40 people in the room and I was literally the only one
>> who raised my hand.
>>
>> I'm not naming the chapter I attended, because this isn't specific to
>> that chapter. I'm seeing the exact same things with my own chapter. And
>> I've spoken with others who also see similar things.
>>
>> I just checked the OWASP Core Purpose and it doesn't say anything
>> specific about who OWASP's intended audience is.  However, I've long
>> thought that OWASP is at least, if not primarily for developers to learn
>> secure coding. From my observations it seems that the target of meetings
>> has become security professionals. I'm not sure if this is because of the
>> choice of meeting topics or just that developers aren't engaged or don't
>> care. I understand getting them engaged is a goal of the organization, but
>> have we as leaders decided that it's easier to attract security pros by
>> having talks about the latest l33t h4x0rs instead of finding new and
>> interesting ways to spread the word of secure coding? I think part of the
>> problem with the latter is sometimes, the devs see it as code specific. If
>> a presentation uses PHP as the demo language and they're a Java developer,
>> they might see it as not relevant and not attend.
>>
>> So my questions are these. Who is our intended audience? Is that ok that
>> meetings tend to attract more of the security pros than developers? Is what
>> I'm describing an "around me" problem or do you see that in your local
>> meetings as well? If you do a good job consistently attracting developers,
>> what are your meeting topics that do that? If we are mostly attracting
>> security pros, do we want to change that and if we do, how? Is anyone else
>> seeing things similarly?
>>
>> Thoughts?
>>
>> Thank you!
>>
>>  Patrick Laverty
>> OWASP Rhode Island (USA)
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 

**
*

Edgar Salazar Tovar*
OWASP Venezuela Chapter Leader

Caracas, Venezuela
+58 416 2810887

Skype: eddavid.salazar
Twitter: @3ddavid
edgar.salazar at owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130618/556bafbb/attachment.html>


More information about the OWASP-Leaders mailing list