[Owasp-leaders] Developers vs. Security Pros

Zac Fowler zfowler at unomaha.edu
Tue Jun 18 21:06:34 UTC 2013


During our latest Omaha chapter planning meeting, this was a concern and issue of meandering several times over.  If it helps to add to this discussion, we came up with this as our guiding idea on audience:

2         Discussion of target audience

-          After some discussion on the love of security professionals and the perceived needs of developers (from the viewpoint of AppSec Pros), we whittled our target audience for future [chapter] presentations to this statement:

o   " Security professionals who must educate developers in their organization."

-          Keeping this in mind, we can focus our chapter output like a laser to this audience, know there is a variance, and adjust as needed after trying it this way for a bit.

Also, I second Tom's recommendations, and hello from Omaha!

-Zac Fowler
OWASP Omaha Co-leader
zfowler at unomaha.edu<mailto:zfowler at unomaha.edu>

From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Edgar Salazar
Sent: Tuesday, June 18, 2013 3:57 PM
To: Tom Brennan
Cc: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Developers vs. Security Pros

Tom, Very good recommendation, beer can easily open the way. jajaja

You can propose an interesting topic for developers like using agile methodology to fix insecure software.


2013/6/18 Tom Brennan <tomb at owasp.org<mailto:tomb at owasp.org>>
I can suggest (2) things
#1 - Visit www.meetup.com<http://www.meetup.com> and FIND your local developer community --- go buy beers and submit a talk on Security.  Work together and the chapters will cross pollinate.
#2 - More about beer... contact me off list ;)

On Tue, Jun 18, 2013 at 3:08 PM, Patrick Laverty <patrick.laverty at owasp.org<mailto:patrick.laverty at owasp.org>> wrote:
I was at a local OWASP chapter meeting recently and one of the first questions she asked by the presenter was:

"How many people here are the one who pesters developers when there's a security issue?"

Every hand in the room went up. Then she asked:

"How many of you are the developer who gets pestered by the security team when there's a security issue?"

There were about 40 people in the room and I was literally the only one who raised my hand.

I'm not naming the chapter I attended, because this isn't specific to that chapter. I'm seeing the exact same things with my own chapter. And I've spoken with others who also see similar things.

I just checked the OWASP Core Purpose and it doesn't say anything specific about who OWASP's intended audience is.  However, I've long thought that OWASP is at least, if not primarily for developers to learn secure coding. From my observations it seems that the target of meetings has become security professionals. I'm not sure if this is because of the choice of meeting topics or just that developers aren't engaged or don't care. I understand getting them engaged is a goal of the organization, but have we as leaders decided that it's easier to attract security pros by having talks about the latest l33t h4x0rs instead of finding new and interesting ways to spread the word of secure coding? I think part of the problem with the latter is sometimes, the devs see it as code specific. If a presentation uses PHP as the demo language and they're a Java developer, they might see it as not relevant and not attend.

So my questions are these. Who is our intended audience? Is that ok that meetings tend to attract more of the security pros than developers? Is what I'm describing an "around me" problem or do you see that in your local meetings as well? If you do a good job consistently attracting developers, what are your meeting topics that do that? If we are mostly attracting security pros, do we want to change that and if we do, how? Is anyone else seeing things similarly?


Thank you!

Patrick Laverty
OWASP Rhode Island (USA)

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>


Edgar Salazar Tovar
OWASP Venezuela Chapter Leader

Caracas, Venezuela
+58 416 2810887

Skype: eddavid.salazar
Twitter: @3ddavid
edgar.salazar at owasp.org<mailto:edgar.salazar at owasp.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130618/b7dbd13a/attachment-0001.html>

More information about the OWASP-Leaders mailing list