[Owasp-leaders] Developers vs. Security Pros

psiinon psiinon at gmail.com
Wed Jun 19 08:09:47 UTC 2013


At the first Manchester meeting we had there was only one developer other
than me - and he was a mate who came to see what I was up to.
I'm really pleased to say that we now get a much more even balance - at the
last meeting there were roughly the same number of developers as pentesters
:)
Many developers _are_ interested in security, but they have many other
concerns as well and may well not know about OWASP (surprising, but true).

My recommendations (many already talked about above):
* Ask the security people to bring along at least one developer to the next
meeting
* And if they dont know any, tell them to get out and meet some!
* Have talks specifically aimed at developers
* Go to developer groups, give talks, tell them about OWASP
* Foster a collaborative atmosphere - I still hear far to many security
people blaming developers - that is very damaging
* Learn 'developer speak' - can you explain a security issue to someone
outside the security bubble?


Cheers,

Simon


On Tue, Jun 18, 2013 at 10:15 PM, Ryan Barnett <ryan.barnett at owasp.org>wrote:

> We have the same issue attracting the Defender community -
> https://www.owasp.org/index.php/Defenders
>
> We need to attract more folks from Security Operations – the people that
> are responsible for defending the apps once they are pushed to production.
>  From experience, these are usually made up of:
>
>    - Web server admins
>    - Infrastructure Security personnel (Firewall, IDS, IPS and WAF)
>    - IR/Forensic Teams
>
> We need to have focused efforts to reach these folks and make sure they
> better understand the threats and what they can, can't and should do to
> help.
>
> -Ryan
>
> From: Patrick Laverty <patrick.laverty at owasp.org>
> Date: Tuesday, June 18, 2013 3:08 PM
> To: <OWASP-Leaders at lists.owasp.org>
> Subject: [Owasp-leaders] Developers vs. Security Pros
>
> I was at a local OWASP chapter meeting recently and one of the first
> questions she asked by the presenter was:
>
> "How many people here are the one who pesters developers when there's a
> security issue?"
>
> Every hand in the room went up. Then she asked:
>
> "How many of you are the developer who gets pestered by the security team
> when there's a security issue?"
>
> There were about 40 people in the room and I was literally the only one
> who raised my hand.
>
> I'm not naming the chapter I attended, because this isn't specific to that
> chapter. I'm seeing the exact same things with my own chapter. And I've
> spoken with others who also see similar things.
>
> I just checked the OWASP Core Purpose and it doesn't say anything specific
> about who OWASP's intended audience is.  However, I've long thought that
> OWASP is at least, if not primarily for developers to learn secure coding.
> From my observations it seems that the target of meetings has become
> security professionals. I'm not sure if this is because of the choice of
> meeting topics or just that developers aren't engaged or don't care. I
> understand getting them engaged is a goal of the organization, but have we
> as leaders decided that it's easier to attract security pros by having
> talks about the latest l33t h4x0rs instead of finding new and interesting
> ways to spread the word of secure coding? I think part of the problem with
> the latter is sometimes, the devs see it as code specific. If a
> presentation uses PHP as the demo language and they're a Java developer,
> they might see it as not relevant and not attend.
>
> So my questions are these. Who is our intended audience? Is that ok that
> meetings tend to attract more of the security pros than developers? Is what
> I'm describing an "around me" problem or do you see that in your local
> meetings as well? If you do a good job consistently attracting developers,
> what are your meeting topics that do that? If we are mostly attracting
> security pros, do we want to change that and if we do, how? Is anyone else
> seeing things similarly?
>
> Thoughts?
>
> Thank you!
>
> Patrick Laverty
> OWASP Rhode Island (USA)
> _______________________________________________ OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130619/ea8581bc/attachment-0001.html>


More information about the OWASP-Leaders mailing list