[Owasp-leaders] Developers vs. Security Pros

Tony Turner tony.turner at owasp.org
Sat Jun 22 21:07:32 UTC 2013


If you check out the Orlando chapter page, Bill Riggins created a slide
deck for OWASP Top 10 with code examples of bad code and possible fixes.
https://owasp.org/index.php/orlando just click on the presentation archives
link.
On Jun 22, 2013 1:43 PM, "Torsten Gigler" <torsten.gigler at owasp.org> wrote:

> Hi Patrick,
>
> we started an OWASP Project especially for developers in March 2013:
> https://www.owasp.org/index.php/Category:OWASP_Top_10_fuer_Entwickler(Top 10 Developer Edition in German). Which creates a special wiki edition
> of the Top 10 for developers in German. We run for 'Security Pros'
> supporting 'Developers'.
>
> We look for code Code Snippets related to the Top 10. This is not as easy
> than thought when we started with Injection as a reference. Nevertheless,
> besides the new 2013_A9 all Issues are in process for JAVA, some also for
> PHP. We were very happy, if you send us some code snippets, that we could
> add as examples ;-)
>
> When we will have moved further we plan to contribute our results to an
> English version, too. (Then, we do hope to find some native English
> speakers that will help us ;-) ).
>
> Kind regards
> Torsten
>
>
> 2013/6/18 Patrick Laverty <patrick.laverty at owasp.org>
>
>> I was at a local OWASP chapter meeting recently and one of the first
>> questions she asked by the presenter was:
>>
>> "How many people here are the one who pesters developers when there's a
>> security issue?"
>>
>> Every hand in the room went up. Then she asked:
>>
>> "How many of you are the developer who gets pestered by the security team
>> when there's a security issue?"
>>
>> There were about 40 people in the room and I was literally the only one
>> who raised my hand.
>>
>> I'm not naming the chapter I attended, because this isn't specific to
>> that chapter. I'm seeing the exact same things with my own chapter. And
>> I've spoken with others who also see similar things.
>>
>> I just checked the OWASP Core Purpose and it doesn't say anything
>> specific about who OWASP's intended audience is.  However, I've long
>> thought that OWASP is at least, if not primarily for developers to learn
>> secure coding. From my observations it seems that the target of meetings
>> has become security professionals. I'm not sure if this is because of the
>> choice of meeting topics or just that developers aren't engaged or don't
>> care. I understand getting them engaged is a goal of the organization, but
>> have we as leaders decided that it's easier to attract security pros by
>> having talks about the latest l33t h4x0rs instead of finding new and
>> interesting ways to spread the word of secure coding? I think part of the
>> problem with the latter is sometimes, the devs see it as code specific. If
>> a presentation uses PHP as the demo language and they're a Java developer,
>> they might see it as not relevant and not attend.
>>
>> So my questions are these. Who is our intended audience? Is that ok that
>> meetings tend to attract more of the security pros than developers? Is what
>> I'm describing an "around me" problem or do you see that in your local
>> meetings as well? If you do a good job consistently attracting developers,
>> what are your meeting topics that do that? If we are mostly attracting
>> security pros, do we want to change that and if we do, how? Is anyone else
>> seeing things similarly?
>>
>> Thoughts?
>>
>> Thank you!
>>
>>  Patrick Laverty
>> OWASP Rhode Island (USA)
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130622/d07db0a0/attachment-0001.html>


More information about the OWASP-Leaders mailing list