[Owasp-leaders] Instead of OWASP libraries, why don't we ...

Tim Morgan tim.morgan at owasp.org
Fri Nov 20 22:10:34 UTC 2015

... fix the platforms developers already use?

Hi Leaders,

Last year I made an argument that OWASP should focus more on
encouraging platform developers to fix their APIs:


I haven't had a chance to revisit this since, but it seems like a good
time to bring it up, given the discussion about PHPSEC.

Gist of it:

We can provide great developer training and secure libraries all we
want, but the fact of the matter is, a significant percentage of
developers are novices and they don't even know what OWASP is.
Therefore training and libraries will not reach them.  This isn't
changing anytime soon, since there are always new developers entering
the market.  Therefore, if we want to keep those developers from
making major mistakes, we need to change our development platforms in
such a way that the most obvious way to implement something also
happens to be safe.  I believe this will drastically cut down on the
number of vulnerabilities introduced each year.

What do I have in mind, specifically, for platform changes?  I give
several examples in my talk.  The changes can be simple and subtle,
but we have to convince the owners of those platforms to do it.  It
can't be in a third-party library to reach the target audience.  How
can we engage with platform owners?  I have some ideas on that, but I
think it is going to require a significant initiative that I can't
take on alone.  Does this resonate with anyone?


More information about the OWASP-Leaders mailing list