[Owasp-leaders] Developers vs. Security Pros

Rogers, John M. John.Rogers at lfg.com
Thu Jun 20 04:07:32 UTC 2013

In my previous life, I spent a fair number of years building payment software with some great development teams.  As you know, the developer's view of the world is somewhat different than everyone else:

	Architects design things
	QA breaks things
	Security is paranoid about things
	Managers want the things done faster
	And FREE FOOD/BEER is never bad

If you want to get developers to come to a security meeting, I think you need to provide information that:
1) Let them create their art faster (keeps Managers away)
2) Let them create their art with fewer bugs (keeps QA away)
3) Let them create their art more securely (keeps Security away)
4) Let them tell everyone they cooler/smarter than the architects

Education and awarness is part of the message, but a tool demo/discussion seems to always generate interest and questions.  It is always cool to whip out ZAP and show the developers that a "security" tool can also provide insight into how their application executes and flows.  Good results are when a developer raises a hand and asks "If I understood how unproductive I made his team for the rest of the week?"
I'm still working on #4.


From: owasp-leaders-bounces at lists.owasp.org on behalf of Patrick Laverty
Sent: Tue 6/18/2013 2:08 PM
To: OWASP-Leaders at lists.owasp.org
Subject: [Owasp-leaders] Developers vs. Security Pros

I was at a local OWASP chapter meeting recently and one of the first questions she asked by the presenter was:

"How many people here are the one who pesters developers when there's a security issue?" 

Every hand in the room went up. Then she asked:

"How many of you are the developer who gets pestered by the security team when there's a security issue?" 

There were about 40 people in the room and I was literally the only one who raised my hand. 

I'm not naming the chapter I attended, because this isn't specific to that chapter. I'm seeing the exact same things with my own chapter. And I've spoken with others who also see similar things.

I just checked the OWASP Core Purpose and it doesn't say anything specific about who OWASP's intended audience is.  However, I've long thought that OWASP is at least, if not primarily for developers to learn secure coding. From my observations it seems that the target of meetings has become security professionals. I'm not sure if this is because of the choice of meeting topics or just that developers aren't engaged or don't care. I understand getting them engaged is a goal of the organization, but have we as leaders decided that it's easier to attract security pros by having talks about the latest l33t h4x0rs instead of finding new and interesting ways to spread the word of secure coding? I think part of the problem with the latter is sometimes, the devs see it as code specific. If a presentation uses PHP as the demo language and they're a Java developer, they might see it as not relevant and not attend. 

So my questions are these. Who is our intended audience? Is that ok that meetings tend to attract more of the security pros than developers? Is what I'm describing an "around me" problem or do you see that in your local meetings as well? If you do a good job consistently attracting developers, what are your meeting topics that do that? If we are mostly attracting security pros, do we want to change that and if we do, how? Is anyone else seeing things similarly?


Thank you!

Patrick Laverty
OWASP Rhode Island (USA)
Notice of Confidentiality: **This E-mail and any of its attachments may contain
Lincoln National Corporation proprietary information, which is privileged, confidential,
or subject to copyright belonging to the Lincoln National Corporation family of
companies. This E-mail is intended solely for the use of the individual or entity to
which it is addressed. If you are not the intended recipient of this E-mail, you are
hereby notified that any dissemination, distribution, copying, or action taken in
relation to the contents of and attachments to this E-mail is strictly prohibited
and may be unlawful. If you have received this E-mail in error, please notify the
sender immediately and permanently delete the original and any copy of this E-mail
and any printout. Thank You.**

More information about the OWASP-Leaders mailing list