[Owasp-leaders] Developers vs. Security Pros

Tobias tobias.gondrom at owasp.org
Thu Jun 20 02:50:40 UTC 2013


just to give some different data:
at our last OWASP EUTour Day in London, I asked the same question and it
turned out we had about 90% devs in the room of about 70-80 people and
only a handful of pen testers. Which was lucky as my talks are usually
tailored for devs and mgmt. ;-)

I guess there are two reasons for that:
first in London I think we have already a nice mix of pen testers and
devs in the normal community and second for promoting the OWASP Day we
engaged external dev&IT communities for spreading the word. In general,
dev communities are much bigger, so even if you attract only the 2-5%
security minded guys it can be a big push.

Best regards, Tobias

On 20/06/13 10:32, Jonathan Marcil wrote:
> On 2013-06-19 10:32, Patrick Laverty wrote:
>> But back to the question. What developer-focused talks do you hold at
>> your chapter meetings that are successful?
>> Thank you all.
>> Patrick Laverty
>> OWASP Rhode Island Chapter
> Hi Patrick,
> I have some experience in choosing security talks for developers as I
> run the security track at the annual ConFoo conference (600+ attendees)
> here in Montreal since many years.
> I have also made 2 OWASP Montreal joined events this year with
> developers communities.
> I have some basic tips that really work over the years :
> - Target which developers (language? framework? stack?)
> - Have a broad subject (usually "something security" is enough)
> And for the local community joint :
> - Offer the talk as a break, a replacement from their monthly event
> A bonus that always works :
> - Take someone that people know or from a company they know (in your
> case, what the developers know)
> Concrete examples :
> In ConFoo, one of most viewed (83 headcount with an usual average of
> 30-40 for my selection) security talk was "Web Security" :
> http://confoo.ca/en/2012/session/web-security
> We spammed people during lunch before with that hyper-generic talk. I
> saw people standing up to be able to be in the room; that normally rimes
> with success.
> At OWASP Montreal, we did a french presentation named "Secure coding for
> Java". All I did was to ask the Montreal Java User Group in their
> mailling list, and they came. 34 attendees, almost all of them Java devs.
> https://www.owasp.org/index.php/Montreal#February_26th_2013
> We also did "Drupal Security" with a guy from the company behind Drupal
> that came from N-Y and we had food. 37 attendees. Only one or two were
> infosec guys (I asked). This time also, the Montreal Drupal community
> did an invitation to their contacts.
> https://www.owasp.org/index.php/Montreal#March_25th_2013
> A normal OWASP Montreal meeting is from 15 to 30 people, so these two
> are counted as success.
> As for beer (and free food), I'd say it work equally with security
> people and developers alike, it's really an universal attraction!
> In conclusion, I think that even if my direct OWASP reach for developers
> is somewhat poor, I use other channels to promote targeted meetings like
> that and it works very well.
> Also in ConFoo, we put swag and business card with the Top10 in every
> bag and have a booth at the event, I don't know if it's working because
> I can't track people that way, but at least OWASP is seen by many
> Montreal developers.
> Hope this helps,

More information about the OWASP-Leaders mailing list