[Owasp-leaders] Developers vs. Security Pros

Ryan Barnett ryan.barnett at owasp.org
Tue Jun 18 21:15:28 UTC 2013

We have the same issue attracting the Defender community -

We need to attract more folks from Security Operations ­ the people that are
responsible for defending the apps once they are pushed to production.  From
experience, these are usually made up of:
* Web server admins
* Infrastructure Security personnel (Firewall, IDS, IPS and WAF)
* IR/Forensic Teams
We need to have focused efforts to reach these folks and make sure they
better understand the threats and what they can, can't and should do to


From:  Patrick Laverty <patrick.laverty at owasp.org>
Date:  Tuesday, June 18, 2013 3:08 PM
To:  <OWASP-Leaders at lists.owasp.org>
Subject:  [Owasp-leaders] Developers vs. Security Pros

> I was at a local OWASP chapter meeting recently and one of the first questions
> she asked by the presenter was:
> "How many people here are the one who pesters developers when there's a
> security issue?" 
> Every hand in the room went up. Then she asked:
> "How many of you are the developer who gets pestered by the security team when
> there's a security issue?"
> There were about 40 people in the room and I was literally the only one who
> raised my hand. 
> I'm not naming the chapter I attended, because this isn't specific to that
> chapter. I'm seeing the exact same things with my own chapter. And I've spoken
> with others who also see similar things.
> I just checked the OWASP Core Purpose and it doesn't say anything specific
> about who OWASP's intended audience is.  However, I've long thought that OWASP
> is at least, if not primarily for developers to learn secure coding. From my
> observations it seems that the target of meetings has become security
> professionals. I'm not sure if this is because of the choice of meeting topics
> or just that developers aren't engaged or don't care. I understand getting
> them engaged is a goal of the organization, but have we as leaders decided
> that it's easier to attract security pros by having talks about the latest
> l33t h4x0rs instead of finding new and interesting ways to spread the word of
> secure coding? I think part of the problem with the latter is sometimes, the
> devs see it as code specific. If a presentation uses PHP as the demo language
> and they're a Java developer, they might see it as not relevant and not
> attend. 
> So my questions are these. Who is our intended audience? Is that ok that
> meetings tend to attract more of the security pros than developers? Is what
> I'm describing an "around me" problem or do you see that in your local
> meetings as well? If you do a good job consistently attracting developers,
> what are your meeting topics that do that? If we are mostly attracting
> security pros, do we want to change that and if we do, how? Is anyone else
> seeing things similarly?
> Thoughts?
> Thank you!
> Patrick Laverty
> OWASP Rhode Island (USA)
> _______________________________________________ OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130618/c28a28e1/attachment.html>

More information about the OWASP-Leaders mailing list