[Owasp-leaders] Developers vs. Security Pros

Patrick Laverty patrick.laverty at owasp.org
Wed Jun 19 14:32:26 UTC 2013

Thanks for all the responses. One of Simon's points stuck out for me and
I'm hoping other chapter leaders can help with it. Simon suggested:

"* Have talks specifically aimed at developers"

What sorts of talks do you hold that gets developers to show up? Do you go
over a specific OWASP Cheat Sheet? Teach SQL Injection or XSS and its
prevention? From any of the other leaders here, what types of
developer-focused talks have you had that did attract the developers? Or is
attracting them really  more organic than that?

Personally, I get anywhere from 5 to 15 attendees at my meetings. However,
twice I have held what I call "Hands On Hacking". I ask everyone to bring
their own laptop, I bring in my own wireless network, loaded with Jeremy
Druin and Adrian Crenshaw's NOWASP/Mutillidae, then I talk about one of the
Top 10 (i.e. SQL Injection) for about 20 minutes and then give them a set
of challenges against the web app. For these meetings, I consistently get
over 30 attendees. So yes, you're all right that the "breaking" is far
sexier to people and that's what everyone wants to do. However, I just hope
that as people are breaking these things, they're also thinking "Wow, this
is easy. Is it that easy on my applications and I should go audit my sites
and fix them."

But back to the question. What developer-focused talks do you hold at your
chapter meetings that are successful?

Thank you all.

Patrick Laverty
OWASP Rhode Island Chapter

On Wed, Jun 19, 2013 at 4:09 AM, psiinon <psiinon at gmail.com> wrote:

> At the first Manchester meeting we had there was only one developer other
> than me - and he was a mate who came to see what I was up to.
> I'm really pleased to say that we now get a much more even balance - at
> the last meeting there were roughly the same number of developers as
> pentesters :)
> Many developers _are_ interested in security, but they have many other
> concerns as well and may well not know about OWASP (surprising, but true).
> My recommendations (many already talked about above):
> * Ask the security people to bring along at least one developer to the
> next meeting
> * And if they dont know any, tell them to get out and meet some!
> * Have talks specifically aimed at developers
> * Go to developer groups, give talks, tell them about OWASP
> * Foster a collaborative atmosphere - I still hear far to many security
> people blaming developers - that is very damaging
> * Learn 'developer speak' - can you explain a security issue to someone
> outside the security bubble?
> Cheers,
> Simon
> On Tue, Jun 18, 2013 at 10:15 PM, Ryan Barnett <ryan.barnett at owasp.org>wrote:
>> We have the same issue attracting the Defender community -
>> https://www.owasp.org/index.php/Defenders
>> We need to attract more folks from Security Operations – the people that
>> are responsible for defending the apps once they are pushed to production.
>>  From experience, these are usually made up of:
>>    - Web server admins
>>    - Infrastructure Security personnel (Firewall, IDS, IPS and WAF)
>>    - IR/Forensic Teams
>> We need to have focused efforts to reach these folks and make sure they
>> better understand the threats and what they can, can't and should do to
>> help.
>> -Ryan
>> From: Patrick Laverty <patrick.laverty at owasp.org>
>> Date: Tuesday, June 18, 2013 3:08 PM
>> To: <OWASP-Leaders at lists.owasp.org>
>> Subject: [Owasp-leaders] Developers vs. Security Pros
>> I was at a local OWASP chapter meeting recently and one of the first
>> questions she asked by the presenter was:
>> "How many people here are the one who pesters developers when there's a
>> security issue?"
>> Every hand in the room went up. Then she asked:
>> "How many of you are the developer who gets pestered by the security team
>> when there's a security issue?"
>> There were about 40 people in the room and I was literally the only one
>> who raised my hand.
>> I'm not naming the chapter I attended, because this isn't specific to
>> that chapter. I'm seeing the exact same things with my own chapter. And
>> I've spoken with others who also see similar things.
>> I just checked the OWASP Core Purpose and it doesn't say anything
>> specific about who OWASP's intended audience is.  However, I've long
>> thought that OWASP is at least, if not primarily for developers to learn
>> secure coding. From my observations it seems that the target of meetings
>> has become security professionals. I'm not sure if this is because of the
>> choice of meeting topics or just that developers aren't engaged or don't
>> care. I understand getting them engaged is a goal of the organization, but
>> have we as leaders decided that it's easier to attract security pros by
>> having talks about the latest l33t h4x0rs instead of finding new and
>> interesting ways to spread the word of secure coding? I think part of the
>> problem with the latter is sometimes, the devs see it as code specific. If
>> a presentation uses PHP as the demo language and they're a Java developer,
>> they might see it as not relevant and not attend.
>> So my questions are these. Who is our intended audience? Is that ok that
>> meetings tend to attract more of the security pros than developers? Is what
>> I'm describing an "around me" problem or do you see that in your local
>> meetings as well? If you do a good job consistently attracting developers,
>> what are your meeting topics that do that? If we are mostly attracting
>> security pros, do we want to change that and if we do, how? Is anyone else
>> seeing things similarly?
>> Thoughts?
>> Thank you!
>> Patrick Laverty
>> OWASP Rhode Island (USA)
>> _______________________________________________ OWASP-Leaders mailing
>> list OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130619/a734a6b5/attachment-0001.html>

More information about the OWASP-Leaders mailing list