[Owasp-leaders] Developers vs. Security Pros

Jonathan Marcil jonathan.marcil at owasp.org
Thu Jun 20 02:32:31 UTC 2013

On 2013-06-19 10:32, Patrick Laverty wrote:
> But back to the question. What developer-focused talks do you hold at
> your chapter meetings that are successful?
> Thank you all.
> Patrick Laverty
> OWASP Rhode Island Chapter

Hi Patrick,

I have some experience in choosing security talks for developers as I
run the security track at the annual ConFoo conference (600+ attendees)
here in Montreal since many years.

I have also made 2 OWASP Montreal joined events this year with
developers communities.

I have some basic tips that really work over the years :
- Target which developers (language? framework? stack?)
- Have a broad subject (usually "something security" is enough)

And for the local community joint :
- Offer the talk as a break, a replacement from their monthly event

A bonus that always works :
- Take someone that people know or from a company they know (in your
case, what the developers know)

Concrete examples :

In ConFoo, one of most viewed (83 headcount with an usual average of
30-40 for my selection) security talk was "Web Security" :
We spammed people during lunch before with that hyper-generic talk. I
saw people standing up to be able to be in the room; that normally rimes
with success.

At OWASP Montreal, we did a french presentation named "Secure coding for
Java". All I did was to ask the Montreal Java User Group in their
mailling list, and they came. 34 attendees, almost all of them Java devs.

We also did "Drupal Security" with a guy from the company behind Drupal
that came from N-Y and we had food. 37 attendees. Only one or two were
infosec guys (I asked). This time also, the Montreal Drupal community
did an invitation to their contacts.

A normal OWASP Montreal meeting is from 15 to 30 people, so these two
are counted as success.

As for beer (and free food), I'd say it work equally with security
people and developers alike, it's really an universal attraction!

In conclusion, I think that even if my direct OWASP reach for developers
is somewhat poor, I use other channels to promote targeted meetings like
that and it works very well.

Also in ConFoo, we put swag and business card with the Top10 in every
bag and have a booth at the event, I don't know if it's working because
I can't track people that way, but at least OWASP is seen by many
Montreal developers.

Hope this helps,

 - Jonathan Marcil
   OWASP Montreal Chapter Leader
   jonathan.marcil at owasp.org

More information about the OWASP-Leaders mailing list